Security Problems in Mozilla products: Finding 'em, Fixing 'em

Just got an email today from CERT that details (wait while I count 'em, okay?) ... six critical security problems with Mozilla. The Known Vulnerabilities in Mozilla Products page contains more.

The problems are far-reaching, from buffer overflows with VCards, buffer overflows with BMPs (yes, more problems with pictures), heap overflows with URLs (unbelievable), and buffer overflows with the POP3 handler (ugh). I reckon that if we had a 'super-critical' category, these should go into them. However, I have to admit that exploits for these haven't been seen in the wild yet.

Never mind, install the latest version of mozilla, and carry on with life. What is interesting reading are the notes that come with the bug reports. You can see how the bugs were presented and addressed. Note that a handful of programmers each time solved the problem. You don't need huge armies of coders, just a few dedicated ones.

I guess it's true: Never doubt that a small group of thoughtful and committed citizens can change the world.

JPG pictures can be hazardous to your PC

Of course, it goes without saying that this is a Microsoft problem. I remember, once upon a time, we used to say "Well, you got to be careful about viruses and all, but pictures are okay. JPGs are okay".

Well, paint me yellow and call me a canary, because it seems now that they aren't. A vulnerability in Windows XP means that viewing a picture on the Internet now could result in an infected PC.

Strange but true, stupid but true.

Anwar: Did the majority judgement really acquit him?

Finally, nearly a fortnight after the original judgement was realeased, somebody from the mainstream press has picked up as a major issue what most of us who actually read the judgement saw on the first day:

To summarise our judgment, even though reading the appeal record, we find evidence to confirm that the appellants were involved in homosexual activities and we are more inclined to believe that the alleged incident at Tivoli Villa did happen...

The Anwar Ibrahim Majority Judgement, Delivered by Justice Dato’ Abdul Hamid bin Haji Mohamad, Page 36.

While the testimonies of Dr. Mohd. Fadzil and Tun Haniff and the conduct of the first appellant confirm the appellants’ involvement in homosexual activities...

The Anwar Ibrahim Majority Judgement, Delivered by Justice Dato’ Abdul Hamid bin Haji Mohamad, Page 36.

In nearly thirty articles published by the Star on 2 and 3 September, there was only one mention of these lines, and that was in a throwaway paragraph that did not dig deeper (or even dig shallow) into the issue.

The issue is this: In a majority judgement that acquits Anwar, this single line makes it clear that the acquittal is on a technicality, and not because the court disbelieved that he was guilty of an 'act against nature'. "We know he's guilty, but we're going to release him because the prosecution was so incompetent at presenting a case," seems to be a message.

If this is true, then the homophobic-inducing stain that was painted on him isn't truly gone, and it's only a matter of time before somebody raises it as, "look, even those who let him free think he's guilty".

Incidentally, I was surprised when I initially read this line, because there is nothing in the 35 pages preceeding it that built up to it. I am not a lawyer, but I felt that it was a little out of place in a judgement that so meticulously built up a case for the acquittal.

Anyway, Karpal Singh has come out and asked for the comment to be expunged. As with all things Karpal, I expect this to snowball a little and look to more in the press.