-
March 25th, 2005, 06:30 AM
#1
Three new Firefox vulnerabilities
Three new Firefox Vulnerabilities reported by Secunia.com.
Three vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system.
1) An error in the restriction of privileged XUL files can e.g. be exploited to open a local privileged XUL file by tricking a user into dragging a faked scrollbar.
The vulnerability itself does not pose any direct security risk as no XUL files in the product use external parameters in an insecure way nor do any destructive actions when being opened.
2) A web site added as a sidebar panel can load privileged content, which can be exploited to execute arbitrary programs by injecting JavaScript into a privileged URL.
3) A boundary error in the GIF image processing of Netscape extension 2 blocks can be exploited to cause a heap-based buffer overflow via a specially crafted image.
Successful exploitation may allow execution of arbitrary code.
The vulnerabilities have been reported in versions prior to 1.0.2.
Solution:
Update to version 1.0.2.
http://www.mozilla.org/products/firefox/
Link: http://secunia.com/advisories/14654/
Thankfully, Secunia says that all three exploits are fixed by upgrading to Firefox 1.0.2 so it looks like we won't all have to upgrade again.
- Xierox
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
-
March 25th, 2005, 06:50 AM
#2
Member
I was going to say, if i had to upgrade firefox again i was going to have to start comparing to IE’s monthly updates. I hope people stop trying to exploit firefox....since that’s only going to happen if people stop using firefox, I say to all the beginners; FIREFOX IS BAD STICK WITH YOUR INTERNET EXPLORER.
-
March 25th, 2005, 06:56 AM
#3
Monthly updates are not a bad thing, nor are weekly updates.
I wouldn't care if firefox went to daily updates. Know why? Because at LEAST the problems/exploits that were found can be quickly solved. I'd much rather have an update ASAP regardless of how many there are in total (linux kernel for god's sake is on 2.6x, how many hundreds of thousand fixes?) rather then wait a few months for a cumulative patch and thus be exploited during that wait period.
Debunk the FUD of patch times.
\"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.\"
- Charles Darwin
-
March 25th, 2005, 07:08 AM
#4
Banned
Yeah, all the exploiting just helps FireFox get tighter and more solid. It really is just another front for the battle of open vs closed source Coding.
-
March 25th, 2005, 07:10 AM
#5
Originally posted here by fractal.design
Yeah, all the exploiting just helps FireFox get tighter and more solid. It really is just another front for the battle of open vs closed source Coding.
Then how come no one says this when IE gets patches? It's nothing personal. I was surprised at my own reaction when I saw the exploits, too. When I see that IE has more patches I'm like, "Ug. Not again..." With Firefox, "It's getting more secure!" It made me realize that I'm perhaps a little too anti-Microsoft.
- Xierox
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
-
March 25th, 2005, 07:20 AM
#6
Hello,
I would't mind I.E. if they would UPDATE the vulnerabilities that are THREE YEARS OR OLDER (Eeye statistics) and stop leaking my hard drive to the world.
-
March 25th, 2005, 07:25 AM
#7
Banned
Originally posted here by xierox
Then how come no one says this when IE gets patches? It's nothing personal. I was surprised at my own reaction when I saw the exploits, too. When I see that IE has more patches I'm like, "Ug. Not again..." With Firefox, "It's getting more secure!" It made me realize that I'm perhaps a little too anti-Microsoft.
- Xierox
I wasnt saying anything about IE. But yeah sure it gets more secure with every patch. Its just that Microsoft is a company. Like Opera is too. But Firefox is not. Its Open source. So it will be interesting to see the differences in security methodoligy between the (in my eyes) Two major powers: Open and Closed source's.
-
March 25th, 2005, 07:25 AM
#8
Then how come no one says this when IE gets patches?
I do, all the time. The more patches Microsoft will release the better. People get so caught up in the naysaying of anti-ms rumors that suddenly 15 patches in one month for the windows kernel+applications is "unacceptable" but when the linux 2.6 kernel requires 25 patches in a month for improvement and secure driver support it's viewed as "nessessary".
I agree with you 100%. Time to start debunking the patches FUD. I'll be upset with ANY peice of software from any company that has known vunerabilities but wants to stick to their "once a month release" schedual rather than get the problem solved.
Side note:
if they would UPDATE the vulnerabilities that are THREE YEARS OR OLDER (Eeye statistics) and stop leaking my hard drive to the world
If your hard drive is leaking then it is your configuration of Windows, not windows itself. I know mine certainly isn't. And there are no exploits in xp or 2003 that I am aware of that are 3 years old. Even the most recent one that existed in 98 and was found again in xp was only temporary because of a slight bug in an update released. It was promptly fixed. Even then, it wasn't a bug that anyone could stop. The exploit was very similar to having a user click on a dialog box that says:
"You are going to get a virus and I will kill your mother if you click yes to this"
And then watching the computer user click yes.
edit: Let's debunk one more thing while we are at it. The "OpenSource HAS to be better than Closed source because it's free and hundreds of eyes look at it".
Two major powers: Open and Closed source's.
It's very similar in testing. You code a program, you give it to the masses to test (or in a buisness case, a very large alpha-beta release to a large test group) and discover bugs. They send reports back to you (even windows does this, do you send reports back when it asks?), and you fix the security problems. Open or closed, they are both going to have the same likely hood of security problems being overlooked.
Hell, even the Linux kernel had a backdoor programmed into it for a solid week and a half before anyone noticed.
\"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.\"
- Charles Darwin
-
March 25th, 2005, 07:28 AM
#9
Originally posted here by fractal.design
I wasnt saying anything about IE. But yeah sure it gets more secure with every patch. Its just that Microsoft is a company. Like Opera is too. But Firefox is not. Its Open source. So it will be interesting to see the differences in security methodoligy between the (in my eyes) Two major powers: Open and Closed source's.
Was not aimed at you, more at myself.
Originally posted here by guardian alpha
I do, all the time.
Then you're a better man than me. ;-P
EDIT: Using Firefox and learning more about Linux has been an eny-opener for me. Until recently, I'd assumed that Linux had basically no security updates because it was so secure. The same went for Firefox. But now I'm realizing that all software really does have flaws, even open source.
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
-
March 25th, 2005, 07:44 AM
#10
Open source isn't always a good thing, sure you have the good people looking at securing it, but now you have the bad people that can look at how to attack it...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|