SEPT. 2007 LIST OF THE MONTH
This month’s List of the Month is about gratitude, by the end. But it starts with computer programming, in particular the Internet browser Firefox.
Doubtless you have read in the newspapers about vulnerabilities discovered in Microsoft products, which had the potential to be hacked and to permit the unauthorized use of personal information. What you have read is, to use the perennial proverbial cliché, the tip of the iceberg.
What follows is a highly selected list of vulnerabilities discovered in Mozilla products (Mozilla originated Firefox). The introduction to the full list stated that “This is not meant as an exhaustive list of all security-related bugs. To find technical discussions of security-related bugs, visit Bugzilla. This page lists security vulnerabilities with direct impact on users. All of these vulnerabilities have been fixed prior to the most recent release.”
If you think you know English, prepare to learn otherwise now. Take a deep breath, start reading, and when you can’t stand it any more, skip to the end.
Some vulnerabilities:
--MFSA 2007-17 XUL Popup Spoofing.
Used to mean: kids trying to scare each other while trick-or-treating on Halloween.
--MFSA 2007-14 Path Abuse in Cookies.
Used to mean: getting caught with your hand in the cookie jar.
--FSA 2007-13 Persistent Autocomplete Denial of Service.
Used to mean: dialing the wrong number.
--MFSA 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4).
Used to mean: “I sure was drunk, wasn’t I?”
--MFSA 2007-11 FTP PASV port-scanning.
Used to mean: going to the dock to see someone off on a cruise.
--MFSA 2007-09 Privilege escalation by setting img.src to javascript: URI.
Used to mean: why the top executives got better coffee and the best parking spaces.
--MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks.
Used to mean: the shop confused your check with one written by someone else with a similar name.
--MFSA 2007-03 Information disclosure through cache collisions.
Used to mean: when you get in an auto accident, you have go exchange addresses and phone numbers.
--MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks.
Used to mean: the teacher caught on that other people in your class were passing nasty notes about you.
--MFSA 2006-76 XSS using outer window's Function object.
Used to mean: the guy next door is building an addition that will block your view.
--MFSA 2006-75 RSS Feed-preview referrer leak.
Used to mean: you forgot that your family would smell their surprise dinner and guess what it was.
--MFSA 2006-73 Mozilla SVG Processing Remote Code Execution.
Used to mean: in sandlot kid football, the play the pushy loudmouth quarterback called which nobody understood, but the defense forgot to cover one of the ends so it worked anyway.
--MFSA 2006-71 LiveConnect crash finalizing JS objects.
Used to mean: there are no atheists in foxholes.
--MFSA 2006-67 Running Script can be recompiled.
Used to mean: “Just put it on my tab.”
--MFSA 2006-59 Concurrency-related vulnerability.
Used to mean: if you don’t think your wife will guess that you’re cheating on her, think again.
--MFSA 2006-56 chrome: scheme loading remote content.
Used to mean: the way politicians always make it sound better than it is.
--MFSA 2006-39 "View Image" local resource linking.
Used to mean: kibbitzing.
--MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey).
Used to mean: blaming it on your little brother.
--MFSA 2006-01 JavaScript garbage-collection hazards.
Used to mean: “The trash collectors banged up our wastecan again this morning.”
--MFSA 2006-13 Downloading executables with "Save Image As..."
Used to mean: The President trying to make himself look better by firing subordinates.
--MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability.
Used to mean: “You need to clean your desk.”
--MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist().
Used to mean: The rich out-of-state people who bought the general store don’t care how much money it loses.
--MFSA 2005-53 Standalone applications can run arbitrary code through the browser.
Used to mean: “You better repair that fence, because if the heifers get out they’re going to eat my flowers.”
--MFSA 2005-47 Code execution via "Set as Wallpaper."
Used to mean: “If you sign up for our credit card, we’ll put a scenic design of your choice on it.”
--MFSA 2005-43 "Wrapped" javascript: urls bypass security checks.
Used to mean: “While the cops were in the donut shop, burglars were robbing a store.”
--MFSA 2005-40 Missing Install object instance checks.
Used to mean: asking your wife where you put something.
And so on. Two general points here:
1. Aren’t you glad there are people who really know about these things, so your computer operates day and day and mostly does what it’s supposed to?
2. Aren’t you glad our school system has a fully funded program for the gifted and talented, so that the advanced computer work of the future will be done in this country rather than overseas?
Muggings, thuggings and buggings can be sent to [email protected].