Security Update ... Firefox 2.0.0.5 Released

muckshifter

I'm not weird, I'm a limited edition.
Moderator
Joined
Mar 5, 2002
Messages
25,751
Reaction score
1,210
It is recommended that you update to this version as soon as possible ... download here:
http://www.mozilla.com/en-US/firefox/

Vulnerabilities fixed:

MFSA 2007-25 XPCNativeWrapper pollution

MFSA 2007-24 Unauthorized access to wyciwyg:// documents

MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer

MFSA 2007-22 File type confusion due to %00 in name

MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document

MFSA 2007-20 Frame spoofing while window is loading

MFSA 2007-19 XSS using addEventListener and setTimeout

MFSA 2007-18 Crashes with evidence of memory corruption

Be warned, if you are using a version of Firefox earlier than 1.5.x you will need to manually download and install the update. Users of later versions should be prompted to update, if not they can open Firefox, click on "Help" and then click on "Check for Updates."

MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer has received a lot of attention since it became public... some blamed Firefox, some blamed IE, and let's be honest, far more blamed IE. The Mozilla Foundation were even cheeky enough to say that they "highly recommend(s) using Firefox to browse the web to prevent attackers from exploiting this problem in Internet Explorer".

Hang on a sec - that statement is nearly as cheeky as Apple saying they were upset with Windows when new iPods were shipped complete with a worm/trojan ...

Let's look at what happened:
  • Firefox introduced a security vulnerability by creating a protocol handler that doesn't validate URLs properly
  • Mozilla tell everybody to use Firefox and avoid IE so that the vulnerability that they introduced cannot be used
Um no... when the *Firefox* product creates a vulnerability on my system, then Mozilla fixes the problem, they don't tell me to stop using their competitor's product - especially when the protocol handler created is not for the exclusive use of Internet Explorer.

Cite: http://www.kb.cert.org/vuls/id/358017 "if a remote attacker can persuade a user with Firefox installed to access a specially crafted web page using Internet Explorer, and perhaps other Windows applications, the malicious JavaScript will be executed. Reports claim this vulnerability is introduced when Firefox versions 2.0.0.2 and later are installed."

Cite: http://www.mozilla.org/security/announce/2007/mfsa2007-23.html

"Note: Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer."

Sorry, but I'm siding with Jesper:
http://msinfluentials.com/blogs/jesper/archive/2007/07/10/blocking-the-firefox-gt-ie-0-day.aspx

"It is clear from the documentation that it is incumbent upon the application to validate the URL string. If the application can accept, and process, dangerous commands through its protocol handler, as Firefox does, it is even more critical that the application take care to validate the URL before processing it. In fact urlmon.dll even provides such a way."


Source: www.msmvps.com/blogs


user.gif
 
Back
Top