> We publish this report today, because the maximum embargo period of 90 days we
offer has been exceeded. Most of the issues mentioned in this report are
currently not addressed by upstream, as is outlined in more detail below.
> [...]
> 2023-05-04: We privately shared the findings with security@...illa.org,
offering coordinated disclosure according to the openSUSE disclosure policy.
> Until 2023-06-12: There has been a lack of communication by upstream. Relevant
questions about the disclosure process remained unanswered, there was no
formal reply to our report and no wishes have been expressed about how to
continue the coordinated disclosure, or what the next steps would be.
> 2023-06-12: We learned that the embargo over this issue was violated by
upstream via a GitHub PR [3] and, inspired by that, our community packager
followed suit via another GitHub PR [5].
What a complete clusterfuck. It's unbelievable that in 2023, a company of Mozilla's stature appears to have no proper processes in place for handling serious security vulnerabilities even when they are being reported to them (for free!) by cooperative third parties.
This taints the image of the entire product in my view.
> > 2023-06-12: We learned that the embargo over this issue was violated by upstream via a GitHub PR [3]
To add further context, that PR violating the embargo:
- removes authentication entirely instead of fixing it
- discusses it as if they've discovered the CVE independently, even though it had seemingly been reported to them just 1 month prior. It may be that they did discover it independently, but the timing seems odd for a bug that existed for 3 years.
- discusses it in an extremely casual way, as if the vuln is not severe. Honestly I don't know enough about the vectors here to know what type of CVSS it might end up with.
---
Edit: Based on @AAchen's HN comment, it seems compromise requires local shell, so not an incredibly high severity it would seem. Still curious to see what NVD come out with.
To be fair, this is an application, so the score might be more grounded in reality. The CVEs I encounter as a developer are always insane and generally massive overreach from security to product design. It's not a vulnerability against all downstream libraries and applications that using some obviously unsafe C++ call might cause a DoS due to poor performance.
CVSS is a poor metric because (by its own definition / admission) its got a very narrow intent: it doesn't really deal with exploitability in any meaningful way (like e.g. the shell access required here). There is a lot of ongoing discourse on its limitations, but its all in relatively early stages & imo its better to have something than nothing (especially when the maintainers of that "something" are aware of its limitations & actively working on better processes).
If you have 10 security bugs, 3 are genuinely high severity and 9 get assigned high severity by NVD, then at least you've managed to deprioritise one of them. It's something (unironiccally).
CVSS is really just used to stack-rank issues and decide how to handle them. Orgs get a list of CVEs, they sort them by score to decide which ones to handle first. From there someone removed from the actual process comes up with deadlines such as "All critical issues, defined as 9.0 or above, must be handled in 30 days." If they are reasonable there is additional language around "or best efforts must be made to resolve or mitigate the issue." If not, gghfdd.
NVD scores and bug classifications are completely useless, as they are often entirely misclassified. My favorite being that they slap the "network" attack vector on things which are not at all network related or exploitable.
> What a complete clusterfuck. It's unbelievable that in 2023, a company of Mozilla's stature appears to have no proper processes in place for handling serious security vulnerabilities even when they are being reported to them (for free!) by cooperative third parties.
While I agree with your sentiment here, it's not exceptionnal at all and I've seen security researcher complaining about the same thing comming from at least Intel, Cisco and Google[1]! And I wouldn't be suprised if you could find example if that regarding Apple and Microsoft as well.
In my eyes, at least, Mozilla has been tainted since the Pocket fiasco, if not before. That's when they made it obvious they'd sell their users off for a buck.
Pocket is crapware, and I don't want it in my browser, and the way they forced it upon me left a bad aftertaste, but I still don't see how it constitutes "selling out their users". Pocket is actually owned by Mozilla. It's not like the data is going elsewhere or something.
I was a Pocket user from before they were bought, so I wouldn't call it crapware personally.
Isn't it just a way to sync a reading list across browsers, and have those pages pre-cached on a mobile device for reading when you have no connection?
I'm interested in what people find objectionable about it.
The strongest argument I've heard is that it's not core browser functionality, it was fine before Mozilla bought them, and therefore it's just a distraction/bloat for Firefox. Which is definitely arguable, but probably not a reason to write off the biggest independent browser.
As a Firefox appreciator,
it's just not something I ever really wanted to use and it got a pretty prominent place in the UI when it came out. Has similar vibes to when windows added the weather forecast to the awesome bar.
Imo the people making a big deal out of it are using it to justify why they're OK sticking with chrome (best case), or have a partisan political reason to hate Mozilla because of their ESG / DEI positions (ughhhhhh)
I was a Pocket user basically since it launched (I was looking for an AvantGo replacement, so imagine that), and I still don't understand Mozilla's purchase or very heavy-handed advertisement of it.
> Isn't it just a way to sync a reading list across browsers, and have those pages pre-cached on a mobile device for reading when you have no connection?
Basically, and I’ve been using it for that since before the acquisition, although recently the Android version had removed the option to cache full versions (only reader mode remains), which has enough of an impact on my usage that I’m planning to migrate away.
Still, there’s a lot of things that seem very misaligned with Mozilla’s mission: the huge dark-pattern tracking banner, the non-open-source nature, the huge dark-pattern tracking banner, the default homepage with weird US-politics-related recommendations that has replaced the actual list, the huge dark-pattern tracking banner, the recommended links inserted at the end of each article as an engagement-driven manipulation, and have I mentioned the huge dark-pattern tracking banner with the accompanying tracking. This would be an expected amount of evil assholery from a random SV startup, but from Mozilla it does feel like a point to add to the betrayal tally (hello EME/Widevine),
The funny thing is that even though it's a Mozilla product now and even though it's somehow "integrated" in the browser, I still have to log into it separately regardless of the fact that I am already logged with with Firefox Sync
I was using Pocket when they announced the start of the transition a while back and their flow to migrate bookmarks to the Firefox account just didn't work, I ended up with an empty account – maybe because I was using a different email address for my Firefox account than for my Pocket account but it made me stop using Pocket altogether, really annoying.
My wild guess is that they could not do a SSO with Pocket and Firefox Sync until they got rid of all the other authentication providers/methods that Pocket supported, a change which people like me would complain about.
> My wild guess is that they could not do a SSO with Pocket and Firefox Sync until they got rid of all the other authentication providers/methods that Pocket supported
Why? Technically, it shouldn't be impossible - one shouldn't exclude the other.
Actually as a kobo owner I've always wondered what JavaScript it can execute, what styles it can render, ect. Always seemed wildly inconsistent. Any idea?
Free, up to date and does not send neither money nor data to Mozilla.
But personally I don't care so much about privacy extremism:
The day another more liberal organization forks it again, adds Google search for some easy cash and start fixing the extension API etc I am probably going to recommend that.
I already dial back some extreme measure(s), nuking my sessions whenever I close the browser comes to mind.
Also of course I will not use Google myself, but it seems to be the way for browser developers to make a living so I'll allow whoever takes care of the future of Firefox to do the same.
> If you own an Apple Silicon powered MacBook the relative builds are refered to as aarch64, they are cross-compiled and we did not test them before release.
> It is possible that Apple Silicon users see their recently downloaded LibreWolf flagged as broken or unsafe by the OS. This happens because we do not notarize the macOS version of the browser: we don't have a paid Apple Developer license and we don't want to support this signing mechanism that is put behind a paywall without providing significant gains.
Eeerm... no, thank you.
Will reconsider if it appears in openSUSE Tumbleweed repos after passing a security review from the openSUSE team ;)
I cannot believe how much Hacker News equivocates:
A browser made by an Ad Tech company that aims to lock down and control the web.
And a browser made by a nonprofit that occasionally makes a minor mistep.
You cannot seriously compare the remote attestation DRM, manifest v3 changes, to, what ?
the Mr. Robot ad that was tacky?
the pocket integration that's pointless and annoying but otherwise harmless?
Seriously, y'alls double standards are insane and focuses so much towards how bad it was that Brendan Eich got kicked out that it comes off as extremely political
Firefox is NOT made by a nonprofit, that's the problem. It's made by a for profit corporation using the shell of a noprofit to claim legitimacy. This for proffit Mozilla Corp is primarily funded by an ad tech company and has itself dabbled in ads multiple times, contrary to the interests of the userbase that the nonprofit should be looking out for. These aren't minor misteps but repeated deliberate decisions to ignore user preferences.
The Mozilla Corporation is a for profit company completely owned by the nonprofit the Mozilla Foundation. Originally there was just the nonprofit, but that caused tax issues with the money generated from the search deal, and after paying a few million to the IRS they switched to the current setup.
I don't think it's fair to claim the nonprofit side only exists to "claim legitimacy." All of their revenue goes back into the corporation or the foundation.
This a very common arrangement used by charities to enable a commercial process that funds the charity. For example, high street charity shops may be part of the commercial sub-entity so that their accounts are processed like a normal company, but 100% of their profits become donations to fund the parent charity's activities, called the charitable purpose(s).
If they didn't separate into a parent charity with a commercial sub-entity, all of the activities of the sub-entity would be subject to charity auditing, accounting and purpose rules, which in practice would make it difficult to run a shop competitively, or alternatively the parent could not have charity status and the shop profit would be subject to tax instead of all being directed to the audited, charitable purpose(s).
In Mozilla's case, if it was a tax-exempt non-profit without a commercial sub-entity giving 100% of profits to its parent, it would not be able to take Google funding as a trade in exchange for making Google the default search engine without losing its tax-exempt status, and it might not be able to pay its software engineers a competitive market rate, even if it needs to do that to compete. It would be able to take donations (not as a trade in exchange for something, just as a donation), but that wouldn't be enough to develop a competitive browser.
> In Mozilla's case, if it was a tax-exempt non-profit without a commercial sub-entity giving 100% of profits to its parent, it would not be able to take Google funding as a trade in exchange for making Google the default search engine without losing its tax-exempt status, and it might not be able to pay its software engineers a competitive market rate, even if it needs to do that to compete.
That doesn't sound like a bad thing. Googles funding is not a boon but a shackle that holds FF back. Same for developers that expect SV market rates - those will be developers that are used to user-hostile software developement practiced in other SV companies.
> It would be able to take donations (not as a trade in exchange for something, just as a donation), but that wouldn't be enough to develop a competitive browser.
How do you know? Individual donations are also far from the only possible way to fund a real charity.
Look - I cant claim that there weren't repeated and deliberate bad decisions, and I can't claim that being funded mainly by google gives the best incentives.
But it is really a nonprofit in that (like the sibling says) the corp is fully owned by a nonprofit, not public shareholders.
And its not like google doesn't get anything out of their $. They get set as the default engine. Apple gets paid hundreds of billions by google for this. So its not like Google is paying Firefox for control over it's development.
Like, seriously,
they're not perfect but its a pretty wide jump in behavior between it and chrome
the point is - the corporation is fully owned and controlled by a nonprofit so it is essentially a part of the nonprofit. if you don't see this as a meaningful difference, I don't know how to help ya.
Privacy… eh. I care… somewhat. I’ll do things I personally consider reasonable, but I think that, say, the people who completely clear browser state every 5 minutes are barmy (and also probably much more exposed than they think they are - the very act of trying to not
Leak anything makes them stand out, if anything).
Yeah that's a pretty reasonable take tbh. I do all that, but I'm fully aware its silly and probably counterproductive.
& hey, if you prefer Chrome because you find it more usable or performant that's a perfectly good reason
I'm mostly upset at the people in this thread (presumably not you) who seem to be against Firefox for ideological reasons which seems completely backwards to me
Pretty reasonable to support the erosion of privacy and foster a "I have nothing to hide, and if you act like you do you're probably guilty lmao" culture along with an Orwellian monopolistic grip on the foremost medium of information exchange of this and probably the next century because of your personal apathy. :) #justreasonablethings
Hey, I'm pretty big into privacy myself. Firefox all the way, 100%. Totally feel you that it's awful.
As much as I'd love it though, I don't think it's reasonably to expect everyone else to care as much as we do. There's plenty of other issues that matter too that I'm glad other people are out there caring about on my behalf. Eg. I know being vegan is better but its a big annoying change and I haven't been able to do it yet.
I'm mostly concerned with all the rhetroic here that's trying to paint firefox as unsympathetic when they are clearly the people fighting on our side. If you don't personally care enough to switch to FF, or use Graphene OS, or run Linux etc. I get that, but pleeease don't also try to discourage other people too, y'know?
(& ofc the real solution is through policy and getting an American version of GDPR/California Privacy act, getting courts to stop the NSA etc. Being preachy online is counterproductive to getting broad support and the mission overall imo)
I already get pop ups from my insurance company (a major one I might add) that FF is not a supported browser when I log into their website. I assume that one day I'll be told to use Edge or Chrome and not allowed to log in at all.
I'm not a privacy fanatic and I don't really care if my browser supports proprietary DRM so that I'm able to watch shows on streaming platforms. However, I see a lot of potential for the remote attestation mechanism proposed by Google to give companies an easy way to enforce "We support this set of browsers on this set of operating systems" and effectively cut off support for Linux and browsers that aren't popular Chromium variants. That doesn't mean I can't go and switch companies but that requires a lot of effort on my part to do so.
It's worse than selling users off. Pocket was integrated for free and Mozilla later bought Pocket. In essence Mozilla paid to sell it's users. (And I liked "read it later" the extension that saved an offline copy of the website. And was later renamed Pocket and removed that ability).
Same with that hidden spyware ad/extension (distributed using channels reserved for delivering 0day bugfixes). Mozilla shit on it's users without even getting paid for it.
> It's worse than selling users off. Pocket was integrated for free and Mozilla later bought Pocket. In essence Mozilla paid to sell it's users.
Maybe I have reading comprehension issues, because it seems to me like it isn't worse than selling users off. Mozilla sold its users... to itself. That's really bad, right?
You either use Firefox, Edge (fork of Chrome), or Chrome today. Serious companies and the average person only use Chrome or Edge. Anyone serious about privacy is using Tor. Hipsters acting like they're serious about privacy are compiling Firefox or Chromium from source.
"Selling users off" only matters to anyone trying to push some unheard of and less-secure forks of Chrome or Firefox. Nobody notable code-reviews theses browsers, you're at the mercy at some random person or small group to play catch-up with upstream browsers, and you're ultimately still locked into somebody else's decisions.
I use Firefox because double-clicking code one-liners from my wiki doesn't add a newline when pasted into Terminals on Linux, which I use on desktop for the challenge of it. Windows Terminal on Windows doesn't have this issue from any browser and I'm free to use Edge or Chrome there.
> traditional free software values (like respect for others' beliefs, freedom of conscience)
A. I'm not sure such a state ever existed in open source, this feels very "Make open source great again", pining for a time that never was
B. Nothing says "respecting others' beliefs" like trying to prevent others from marrying.
Mozilla was on the downslope long before Brendan and given what he did afterwards (Brave) it's clear he would only accelerated Mozilla's demise. I guess we all missed out on FireCoin or whatever other scam he would have run.
Brave grew from nothing to 22M DAU, while Firefox lost share pretty much every month over those 8 years.
Your "FireCoin" b.s. aside, you can't explain how Brave grew while Firefox shrank. Surely, ritually-impure me would have meant failure for Brave, which you assume falsely in order to claim I'd have wrecked Mozilla worse than it got rekt without me. This is counterfactual.
You're a bit blind to it, but yeah, we are. Patience for ESR ran out over his calling all black people criminals, claiming all women were chomping at the bit to toss around fake rape accusations, and blaming homosexuals for HIV, etc., etc. That's bigotry whether or not you agree with his premise.
Show me a time when the open source community was ever okay with that kind of bullshit.
The time when ESR was a universally accepted member of it, given he literally invented the term. The time when he was a leader of it for many years. All time right up until a couple of years ago when entryists performed a hostile takeover to impose their niche Silicon Valley political views on everyone else.
IOW, you can't demonstrate the open source community being tolerant of bigotry? Got it. ESR ran his mouth and "suffered" the consequences. Fuck around and find out as the kids say. There was no so-called "hostile takeover" nor imposition of "niche Silicon Valley political views".
>IOW, you can't demonstrate the open source community being tolerant of bigotry? Got it.
As I already explained, the topic of this thread is not bigotry, but something that you, unilaterally, have labelled 'bigotry'. Those are different things.
>ESR ran his mouth and "suffered" the consequences. Fuck around and find out as the kids say.
Wow you seem such a nice and tolerant person. (inb4 you bring up the 'paradox of tolerance' in a way that demonstrates you didn't understand it at all)
>There was no so-called "hostile takeover" nor imposition of "niche Silicon Valley political views".
... he says, immediately after saying that someone was essentially blacklisted (oh no, I said one of the bad words! BLOCKLISTED, not blacklisted, SORRY FOR MY RACISM!!!!) for having a right-of-centre political opinion.
Given how much flak Brave (and by extension Eich) gets on HN, it's somewhat ironic that you identify his departure as the moment when Mozilla abandoned its traditional values.
Diverse in nationalities and backgrounds, yes. Diverse in viewpoints, not so much.
The Overton window is quite narrow on HN, and I have the distinct impression it is narrowing further. Though I do admit that within that window, discourse is very lively, to the extent that a casual observer can easily be fooled into believing this is a place for free exchange of ideas.
> [...] he was appointed chief executive officer, but resigned shortly after his appointment due to pressure over his firm opposition to same-sex marriage.
Over his donation to a (very) popular political campaign in California.
Recall that Obama was elected in the same year as Eich's donation on a platform that marriage is defined to be between a man and a woman, and that the proposition in question passed with 52% support in California, one of the most socially liberal states in the USA.
I don’t think there’s a point in stretching the author’s claim here: marriage between competent adults is about as firmly within the “civil right” category as anything can be.
That includes polygamy of course, right? I mean, if all people involved are competent, consenting adults, why wouldn't that be a civil right? Do you agree? Or is that one of those "Let me in, then close the door" type of issues?
Polygamy is a tough one because historically it has been strongly associated with certain fringe sects that are heavily male dominated, and the women are treated more like household servants than wives. Old school “it isn’t rape if we’re married” types. The women aren’t allow jobs, divorce, or personal finances.
Actual, honest to goodness, full-freedom and consent polygamy I personally have zero issue with. Live and let live, as long as you aren’t tell me how to live MY life.
So marriage is a civil right, except when people have a gut feeling that it's problematic and throw around "think of the X!" moral panic tantrums.
This attitude seems to define civil rights today, from drug prohibition to sexual liberty. Ironically, it very closely resembles how conservative moralism operates and has always operated.
I'll reframe this for you: in a liberal society, we default to open social policies rather than closed ones. There's no moral or principled legal basis for the civil right of marriage being extended to only straight couples.
Restricting polygamy does have a principled legal basis: it's historically associated with subjugation, and you don't have a civil right to subjugate others. If and when that association vanishes (i.e., society is convinced that all parties are able to competently consent), then there will be no legal basis for excluding them from the civil right of marriage. Your "ick" response is not a valid basis.
You seem to be conflating the legal definition of marriage with a christian definition of marriage. While both are malleable, it's well within the scope of government to alter legal terms. In fact that's precisely what Eich was trying to do in the first place.
I was not the one making a claim that legal terms are immutable. My argument is that by working to deny civil rights to a subset of what would become his employees he is incapable of leading Mozilla.
Or it makes _them_ incapable of working for Mozilla. If you can't handle having a working relationship with someone that disagrees with you, then what kind of colleague will you be? Are you going to tolerate a coworker that disagrees with you politically? Are you going to be able to manage or be managed by someone with a different background to you?
Someone that won't work for a company whose CEO donated in 2008 to a mainstream political cause (widely supported across the political spectrum including by the left-wing President of the time) is not the sort of person anyone would want to work with, tbh!
This isn't a mere political disagreement, this is someone actively working to deny civil rights.
Now there's a few ways to approach that. Look at your emotional reaction, screeching that you can't redefine marriage (a mutable legal term) and the rank hypocrisy of that argument in the face of Eich doing his best to redefine marriage to suit his predilections. Now consider how strong your opinions are in spite of the fact that legalizing same-sex marriage does not negatively effect you in any way whatsoever. Imagine how strongly someone would feel if Eich's campaign to redefine marriage (and deny you the legal protectons and benefits associated with marrage) actually effected you.
Alternatively, let's assume your hot take is true, that the real problem is employees being incapable of working for someone trying to deny civil rights. Imagine that you want to hire a CEO that would render large swaths of your company incapable of working for you. You don't see a problem with that?
widely supported across the political spectrum including by the left-wing President
of the time
If you're just going to make shit up to support your argument, it's awful hard to take your hyperventilating seriously. Obama publicly condemned Prop 8 and didn't equivocate. Even the notoriously homophobic Feinstein opposed Prop 8.
>This isn't a mere political disagreement, this is someone actively working to deny civil rights.
What do you think political disagreement is? You can frame any political disagreement as a matter of 'civil rights'. Even if we accept that marriage is a human right (I would say it's one of many societal institutions that has some legal consequences) it's not clear to me that marriage is a 'civil right' as opposed to a social right. The normal legal distinction is between 'civil and political rights' (protected by law in all democracies) and 'economic, social and cultural rights' (protected by law in Europe, but not in Anglosphere countries, where their status as 'human rights' is debated).
Should the state provide housing to everyone? Political disagreement, right? No, that's the 'right to housing'. Should the state provide jobs to everyone? Political disagreement, right? No, that's the 'right to work' that's being engaged there. If you disagree, then you want to deny someone their civil rights. etc.
>Now there's a few ways to approach that. Look at your emotional reaction, screeching that you can't redefine marriage (a mutable legal term)
I disagree. I don't think it's a legal term. Is water a legal term? Is book? Obviously any term can be used in legal instruments, but that doesn't automatically make it a legal term. The law didn't (traditionally) define marriage. Marriage was a social institution with a well-established meaning, and it had legal consequences. But marriage is clearly a pre-legal concept that had legal consequences attached, not something conjured up by the law.
Putting 'a mutable legal term' is parentheses after the word doesn't make it one.
>and the rank hypocrisy of that argument in the face of Eich doing his best to redefine marriage to suit his predilections.
Eich didn't attempt to 'redefine marriage'. The attempt that was being made was to retain the same definition of marriage that has existed for thousands of years.
>Now consider how strong your opinions are in spite of the fact that legalizing same-sex marriage does not negatively effect you in any way whatsoever.
It negatively affects me in lots of ways. It's directly led to a world in which you can be fired for refusing to use someone's 'preferred pronouns'. It's directly led to a world of 'drag queen story time'. The slippery slope is just a fallacy, right? Right? Lol.
>Imagine how strongly someone would feel if Eich's campaign to redefine marriage (and deny you the legal protectons and benefits associated with marrage) actually effected you.
As I have already said, the campaign that Eich contributed a small amount to did not seek to redefine marriage. Civil unions already existed and the legal protections and benefits afforded to married couples could have been extended to those in civil unions.
>Alternatively, let's assume your hot take is true, that the real problem is employees being incapable of working for someone trying to deny civil rights. Imagine that you want to hire a CEO that would render large swaths of your company incapable of working for you. You don't see a problem with that?
A few very vocal employees complained about it. The company chose them over Eich. Today, Mozilla is one of the single most woke companies. It has publicly stated multiple times that it wants to deplatform people for expressing milquetoast views that were universally held a decade or two ago, and are still widely held today.
And again, your question is presumptuous. You presume within the wording of your question that this has something to do with 'civil rights'. It doesn't.
> If you're just going to make shit up to support your argument, it's awful hard to take your hyperventilating seriously. Obama publicly condemned Prop 8 and didn't equivocate. Even the notoriously homophobic Feinstein opposed Prop 8.
Cool... So if eich was in the wrong, then ipso facto, Mozilla did a good thing kicking him out?
If that is the case, why are people lapping to brave as if its the next best thing?
Brave has this, brave has that.
Brave is chromium. It is helping google cement its dominant position. If brave wanted to "help" the internet be free, they could have easily forked Firefox or safari/WebKit? even but no. They decided the least work high margin work of skinning chromium. And no. Brave is not a fork. They are not a hard fork, soft fork maybe but definitely helps count chromium numbers.
Everyone that disagrees with you is just doing what advertising and PR tells them to do. Your views though? Entirely based on thoughtful consideration, independent of any social influence? Right?
I fail to see how that fits the paradox of tolerance. Popper's proposal was that those we should deem intolerant to the point where the rest of us should not tolerate them are:
- intolerant to the point they do not engage in debate and the political process, or prevent others from doing so
- urge or use violence instead of debate and the political process
Eich made a donation to a political campaign that, to the best of my knowledge, engaged in debate and the political process and did not use violence, and I'm pretty sure someone would've brought it up by now if it had.
This is what happens when lawyer/MBA executives fire technical workers to take those salaries for themselves. Mozilla, like fish, is rotting from the head.
Impact: local users on the system, including dummy service users like 'nobody', can perform actions on a running Mozilla VPN daemon via D-Bus, including activating the VPN with a server of the attacker's choice, deactivating the VPN, obtaining log files to see when the user historically activated the VPN, and clearing log files
So you need to have a local shell on the system of the user you want to attack. Not cool, it violates permission boundaries that are there for a reason, but the headline sounded to me like a remote authentication bypass (I'm not into the whole D-Bus/Polkit thing) which this is not
Local unprivileged shell is not an unreasonable thing to get on linux since most people are building random software regularly. Among the things i know i should be doing but i don't: using a dedicated user for building everything; sandboxing the build process using some bwrap/container.
Privesc is also trivial on desktop linux :P so if your barrier is "but I'm an unprivileged user" it's likely not enough. You need a proper sandbox if you want to make escalation difficult.
ex: Desktop Linux's running X have a trivial escalation path; any program can read all keystrokes across all users. You type your sudo password in, you're screwed.
Or if the attacker is running as your user they can just modify your bashrc, aliases, etc, to do a whole bunch of things - like having `sudo` go to an attacker controlled binary - that one will work on the server, too!
So yeah sandboxing builds is super important because "unprivileged users" are almost always one trivial step away from full root.
>an openSUSE community packager wanted to add the Mozilla VPN client [1] to
openSUSE Tumbleweed, which required a review [2] by the SUSE security team,
as it contains a privileged D-Bus service running as root and a Polkit policy.
and this is why I tell everyone who wants to run a rolling release distro to go with Opensuse rather than distros where people just install random packages from community repositories. They are so underrated given the scrutiny they put into their packaging and build process.
These are some nasty implementation bugs, but honestly, there are some way more serious design issues at hand here.
A user-configured VPN should not run as root and affect networking for the entire system; the whole VPN process should run in its own network namespace with no more privileges beyond those of the user activating it. Processes that need to use the VPN (rather than clearnet) should be attached to that same network namespace. If necessary, you can even avoid attaching a NAT (e.g.: slirp4netns) to the namespace so that if the VPN dies there is no data leakage.
I get that running things as root has a bit more performance, but compromising on security for the sake of performance doesn't sound like the right approach for this kind of software.
I can't imagine that root is any faster. It's just a lot easier to run things as root vs splitting out separate processes with their own isolation mechanisms.
That the service runs as root isn't really the issue here. None of the attack relies on the abuse of some root capabilities, it's an authentication issue that abuses how the service works. Even if it were unprivileged somehow, this would still be the same impact.
Even with netns you'll need to run some parts as root, so you'll need to use privsep. Network namespaces are a really cool Linux feature, they're great for using multiple VPNs for different things. But for the average user, I'm not sure if netns has great integration with common desktop environments and it's on the user to make sure they don't accidentally run their program in the wrong/default network namespace.
Yeah, because it affects networking in the entire system.
If some pam session module were to set up its own network namespace that is shared by all user processes after login, this could be (mostly) solved. The result would be some surprising behaviour though, as processes outside have a possibly vastly different view of the network.
A major action item here from Mozilla would be to bring this VPN under the same policies and teams that manage Firefox's security issues - or standardize the policies across the company and ensure products are staffed for it (if there is a reason to avoid centralizing that to the team). I would never expect such poor handling from a browser vendor.
"Open" is a great marketing term to signify to geeks that you're hip to the whole movement thing, and "Wall" of course is a classic Cybersecurity term that is an instantly recognizable part of "firewall", but when you make a portmanteau into "OpenWall" and a big gaping security hole is revealed, surely the irony is not lost on us.
OpenWall is a highly-respected security research and hacking project from the early 2000s. This group was responsible for revealing numerous 0days during the chaotic days of the early Web, as well as developing exploit mitigation techniques. These days it's mainly known for hosting security-related mailing lists such as oss-security and kernel-hardening, widely read by security researchers and kernel developers.
The name is more than appropriate. It's not the developer of Mozilla VPN.
> [...]
> 2023-05-04: We privately shared the findings with security@...illa.org, offering coordinated disclosure according to the openSUSE disclosure policy.
> Until 2023-06-12: There has been a lack of communication by upstream. Relevant questions about the disclosure process remained unanswered, there was no formal reply to our report and no wishes have been expressed about how to continue the coordinated disclosure, or what the next steps would be.
> 2023-06-12: We learned that the embargo over this issue was violated by upstream via a GitHub PR [3] and, inspired by that, our community packager followed suit via another GitHub PR [5].
What a complete clusterfuck. It's unbelievable that in 2023, a company of Mozilla's stature appears to have no proper processes in place for handling serious security vulnerabilities even when they are being reported to them (for free!) by cooperative third parties.
This taints the image of the entire product in my view.