Mozilla Security Hole: Household Emergent Behavior Vulnerability

I sent the following to the security list at 4:02 PM EST. I rate it a “critical” security vulnerability due to the harm it can inflict. This vulnerability is found in all Mozilla products to date (including nightlies).

Overview
Apparently Firefox has been making sexual advances towards Roomba’s (as seen on slashdot 02/05/2005), causing them to lock themselves in rooms in order to avoid being molested by the otherwise innocent looking Mozilla Products. Similar problems have been reported with other electronic devices: Toasters, VCR’s, Cell Phones, Alarm Clocks, Rosie the maid from the Jetsons, Johnny 5, R2D2, and Al Gore. I suspect people with pacemakers may be at risk, but I have yet to find any direct evidence or testimony.

Analysis
The vulnerability seems to be in nsISEXUALadvance, though libPr0n may also be problematic. There are actually 3 distinct problems with nsISEXUALadvance:

  • Doesn’t check to see if object.sexualDesire is of the same platform type
  • Doesn’t check to see if object.sexualDesire is >= age Of Consent
  • Doesn’t check to see if object.sexualAdvanceCount <= 1

I have yet to find if libPr0n has any influence on this bug. There is some research that suggests it many influence this behavior, though some ideological bias may be influencing that conclusion.

Products Effected
This vulnerability effects all Mozilla products tested.

Recommendation
I’d suggest this block Firefox 1.1, as well as Mozilla 1.8b until it’s resolved.

Provided and/or discovered by:
Robert Accettura Feb 5, 2005

Etc.:
This fufills a statement that I gave Asa over IRC that I could beat some of the other goofy stuff that comes in to security@mozilla.org.

Busy Week or Two Ahead

I’m going to be rather involved with school, so I’m not sure I’ll be posting to much, or accomplishing to much in the next week or two. Apparently I have Thursday off, so that should make a 4 day weekend, and make my life much easier. So hopefully I can gain the upper hand by Thursday and put myself in a more relaxing situation…. we can hope right?

Or perhaps Monday and Wednesday I’ll have really productive afternoons and get lots of work done with minimal effort…. that would be great.

I will of course be online for the Firefox launch as much as I can 😀 I’ve got a few classes, but I’ll be checking in throughout the day to see what the estimated download count is… and to share in some of the IRC fun that will follow.

It’s time for an international standard on Instant Messaging

Well, actually it’s well past time. Instant Messaging has all the earmarks to be the communications of the future, and it royally stinks.

Problems today:

  • Networks don’t communicate together, hence locking users in (MSN, AIM, Yahoo!)
  • Phones don’t Text Message (same as IM essentially) across networks. Barely from net to phone.
  • Each has proprietary ‘extras’ (file transfer method, voice chat, web cam, pictures, etc). Far from standardized.

I think it’s time for the IETF to write up an official recommendation for Instant Messaging.

Here’s my wish list:

  • UTF8 encoding for all messages
  • XML messages. Adds capabilities to easily integrate with other systems (since XML is the way of the future). Stylesheets define how it appears.
  • MathML support – for those wanting to get geeky.
  • SVG Graphics – why not? Slim, clean, XML. This could be used for multiple things: Emoticons 🙂 for example could be sent via SVG. Things like whiteboard (which allow you to draw and have the other party see what you draw) could be done in SVG.
  • Of course, an open standard, like Email. Cross platform, many clients, no licensing restrictions. So everyone can enjoy it.

With this, there’s a lot of flexibility. Using XML as a message format, rather than HTML, allows for a stylesheet to render it pretty. A person with a vision impairment could have a product read the XML directly. You could honor a stylesheet provided by the person you are talking too, download them online, or create your own. Big text? Small text? Color contrast? All in your control. And with SVG emoticons, they can resize appropriately without losing quality. Phones can resize as necessary thanks to custom stylesheets.

It’s a real shame it hasn’t happened yet. There’s no great IM clients. The protocols all have their limitations (AOL stinks behind firewalls, Yahoo’s got minimal users, MSN is spam ridden). All the current systems stink. Their clients are even worse. AOL’s adware, MSN’s buggy client (and terrible Mac client), Yahoo’s terribly slow development.

Look at all the IRC clients available. So many, each with their own features, toys, ehancements. All working together.

Yes, I do hate IM’s as of today. But imagine what could be done? It could be as universal as email. Secure, fast, flexible framework. But instead, we’ve got garbage to date.

The time for standards in IM is now. It’s only going to get more proprietary from here on out. And lock users into their networks.

Oh… spam prevention built into the protocol would be nice. Lets avoid another Email like spam attack.

Just my $0.02

Why use mozilla?

Well, here’s a quick analysis from #mozillazine this afternoon, the few minutes I had free.

* Robert just read on slashdot that Mozilla can cure and prevent AIDS and cancer
* Robert also saw the other day it feeds hungry children and keeps michael jackson away from children
[Asa] Our new slogan should be, “Using Mozilla and Firefox will make Asa happy — and who doesn’t want to make Asa happy?”
*Robert read on CNET that Janet jackson’s Wardrobe malfunction doesn’t happen with Mozilla, and Stevie Wonder’s eyes work properly in Mozilla
* Robert thinks Janet Jacksons wardrobe malfunction was something funny with JavaScript
[Asa] Robert: actually, mozilla users would expect janet jackson’s wardrobe malfunction to happen to everyone 🙂
*Robert hopes Asa is wrong… lots of ugly people around

It’s nice being productive.

IRC blocked

My school has been blocking port 6667 because of some virus, prohibiting me from getting on IRC for the past few months. Much to my dismay.

My question of the day:
Can you get me (legally) on IRC? Comments/Email Welcome.

I’ve been wanting to spend some more time on #mozilla. But this has been blocking me for some time. And I’m fed up.

Bugday

Bugday is coming very soon. Sadly IRC is blocked here because of what Info Sys. says is a virus plaguing the network. So I’m a no go.

Enjoy and good luck to all. Hopefully I can manage to get on the action some way or another.