- Joined
- Mar 5, 2002
- Messages
- 25,751
- Reaction score
- 1,210
It is recommended that you update to this version as soon as possible ... download here:
http://www.mozilla.com/en-US/firefox/
Vulnerabilities fixed:
MFSA 2007-25 XPCNativeWrapper pollution
MFSA 2007-24 Unauthorized access to wyciwyg:// documents
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
MFSA 2007-22 File type confusion due to %00 in name
MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
MFSA 2007-20 Frame spoofing while window is loading
MFSA 2007-19 XSS using addEventListener and setTimeout
MFSA 2007-18 Crashes with evidence of memory corruption
Be warned, if you are using a version of Firefox earlier than 1.5.x you will need to manually download and install the update. Users of later versions should be prompted to update, if not they can open Firefox, click on "Help" and then click on "Check for Updates."
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer has received a lot of attention since it became public... some blamed Firefox, some blamed IE, and let's be honest, far more blamed IE. The Mozilla Foundation were even cheeky enough to say that they "highly recommend(s) using Firefox to browse the web to prevent attackers from exploiting this problem in Internet Explorer".
Hang on a sec - that statement is nearly as cheeky as Apple saying they were upset with Windows when new iPods were shipped complete with a worm/trojan ...
Let's look at what happened:
Cite: http://www.kb.cert.org/vuls/id/358017 "if a remote attacker can persuade a user with Firefox installed to access a specially crafted web page using Internet Explorer, and perhaps other Windows applications, the malicious JavaScript will be executed. Reports claim this vulnerability is introduced when Firefox versions 2.0.0.2 and later are installed."
Cite: http://www.mozilla.org/security/announce/2007/mfsa2007-23.html
"Note: Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer."
Sorry, but I'm siding with Jesper:
http://msinfluentials.com/blogs/jesper/archive/2007/07/10/blocking-the-firefox-gt-ie-0-day.aspx
"It is clear from the documentation that it is incumbent upon the application to validate the URL string. If the application can accept, and process, dangerous commands through its protocol handler, as Firefox does, it is even more critical that the application take care to validate the URL before processing it. In fact urlmon.dll even provides such a way."
Source: www.msmvps.com/blogs
http://www.mozilla.com/en-US/firefox/
Vulnerabilities fixed:
MFSA 2007-25 XPCNativeWrapper pollution
MFSA 2007-24 Unauthorized access to wyciwyg:// documents
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
MFSA 2007-22 File type confusion due to %00 in name
MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
MFSA 2007-20 Frame spoofing while window is loading
MFSA 2007-19 XSS using addEventListener and setTimeout
MFSA 2007-18 Crashes with evidence of memory corruption
Be warned, if you are using a version of Firefox earlier than 1.5.x you will need to manually download and install the update. Users of later versions should be prompted to update, if not they can open Firefox, click on "Help" and then click on "Check for Updates."
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer has received a lot of attention since it became public... some blamed Firefox, some blamed IE, and let's be honest, far more blamed IE. The Mozilla Foundation were even cheeky enough to say that they "highly recommend(s) using Firefox to browse the web to prevent attackers from exploiting this problem in Internet Explorer".
Hang on a sec - that statement is nearly as cheeky as Apple saying they were upset with Windows when new iPods were shipped complete with a worm/trojan ...
Let's look at what happened:
- Firefox introduced a security vulnerability by creating a protocol handler that doesn't validate URLs properly
- Mozilla tell everybody to use Firefox and avoid IE so that the vulnerability that they introduced cannot be used
Cite: http://www.kb.cert.org/vuls/id/358017 "if a remote attacker can persuade a user with Firefox installed to access a specially crafted web page using Internet Explorer, and perhaps other Windows applications, the malicious JavaScript will be executed. Reports claim this vulnerability is introduced when Firefox versions 2.0.0.2 and later are installed."
Cite: http://www.mozilla.org/security/announce/2007/mfsa2007-23.html
"Note: Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer."
Sorry, but I'm siding with Jesper:
http://msinfluentials.com/blogs/jesper/archive/2007/07/10/blocking-the-firefox-gt-ie-0-day.aspx
"It is clear from the documentation that it is incumbent upon the application to validate the URL string. If the application can accept, and process, dangerous commands through its protocol handler, as Firefox does, it is even more critical that the application take care to validate the URL before processing it. In fact urlmon.dll even provides such a way."
Source: www.msmvps.com/blogs