back to article Mozilla slings Firefox patches at flaw found by GCHQ's infosec arm

In version 46 of its popular Firefox web browser, Mozilla has patched 10 vulnerabilities, some rated either critical or high severity, that permitted remote code execution. One of the patched high-severity flaws was burned reported by the Communications-Electronics Security Group (CESG), the information security limb of the UK …

  1. Tomato42
    Angel

    what? GCHQ donating patches to open source projects used by millions of people. US Congress unanimously voting in a bill requiring warrants for accessing email, photos and all other documents stored in cloud.

    Did I wake up in an opposite world today?

    1. Oengus

      Donald Trump and Hilary Clinton potential contenders for the US presidency!

      Did I wake up in an opposite world today?

      Nope it is just another example of how the world is turning on its head...

    2. Anonymous Coward
      Anonymous Coward

      I would just assume that they've found another flaw, so can afford to burn this one (for the protection of Firefox users from the bad guys), while retaining the ability to crack Firefox for the benefit of... uh, the good guys? It was all going so well until I got to the end.

      1. Anonymous Coward
        Anonymous Coward

        s/'the good guys?'/themselves./

        You're welcome ;)

  2. RIBrsiq
    Thumb Up

    I am happy to see GCHQ helping, whatever their motivations.

    They, and similar organizations, should do much more to help secure things.

    1. Smooth Newt Silver badge
      Meh

      GCHQ motivations

      I am happy to see GCHQ helping, whatever their motivations.

      My guess is that their public relations department demanded a small bone to throw to the masses as part of their ongoing campaign to counter the firestorm of criticism.

      The silly competitions probably aren't proving to be enough. I expect their logo will be redesigned soon into something featuring kittens.

      1. Paul Crawford Silver badge

        Re: GCHQ motivations

        Don't forget that GCHQ has two jobs:

        - The one folk tend to think about is spying on world+dog

        - The other is stopping world+dog spying on our glorious leaders

        Clearly there is a conflict of interests here, as hoarding vulnerability to shaft the other guy could very well lead to your own boys getting done over when their kit is not patched. There is even advice given to gov BOFH to help out on lots of platforms, not just Windows. Though given the number of high-profile breaches we hear of, and no doubt others we (and possibly they) don't know about, one wonders if it is listened to.

        https://www.gov.uk/government/collections/end-user-devices-security-guidance

  3. Dan 55 Silver badge
    Black Helicopters

    Time to look a gift horse in the mouth

    That patch needs at least three independent code reviews.

    1. Anonymous Coward
      Black Helicopters

      Re: Time to look a gift horse in the mouth

      More so the ones they submit vicariously. Methinks...

    2. Cynical Observer
      Alien

      Re: Time to look a gift horse in the mouth

      If you read the article again - slowly this time - you will see that it says GCHQ found the vulnerabilities. It does not say that they wrote the patches.

      .... Although I fully echo your sentiment that anything originating from the spooks is going to be regarded suspiciously until it has been code reviewed extensively.

  4. gazzton

    Comma placement

    "Mozilla has patched 10 vulnerabilities, some some rated either critical or high-severity, that permitted code execution in version 46 of its popular Firefox web browser".

    OR

    Mozilla has patched 10 vulnerabilities, some some rated either critical or high-severity that permitted code execution, in version 46 of its popular Firefox web browser.

    Big difference in meaning. I'm assuming the latter?

    1. Charlie Clark Silver badge

      Re: Comma placement

      Yes. Better still would be to lead with the new version and say that along with whatever new UI fuckery there a patches for.

      As 45 is also the new ESR release but 38 is still in use, let's hope that they also get the patches.

      1. Dan 55 Silver badge

        Re: Comma placement

        The only new feature in 46 is the security update for the JavaScript engine. No UI fuckery, amazingly enough.

        1. Spoobistle

          Re: Comma placement (@Dan55)

          Well if GCHQ have prompted Mozilla to cure the infuriating Javascript "lockups" that have become a feature of Firefox lately, they'll get a vote of thanks from me, and hopefully I won't have to switch browser.

        2. Richard Lloyd

          Re: Comma placement

          > No UI fuckery, amazingly enough.

          Er, unless you run Linux Firefox 46, in which case a major change was made with a move from GTK+2 to GTK+3. Apart from the different in-page chrome (e.g. form selector looks different and the scroll bars are horribly narrow now), it also now fails to run on some still-supported LTS distros that don't ship GTK+3 (e.g. CentOS 6, which still has more then 4 years of support left).

          Yes, you can fall back to the ESR release for the moment, but I suspect the next ESR release will also use GTK+3...

  5. pewpie

    Take heed..

    Memory corruption is their speciality.

    1. Paul Crawford Silver badge

      Re: Take heed..

      Well web browsers take so much memory these days its almost inevitable it comes down to thoughtless crap management, and hence corruption...

  6. Florida1920
    Pint

    Have a Brown Ale

    The lone high severity bug was found by British security bods Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao of Newcastle University.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020