ALERT: Mozilla/Firefox Holes Of Doom for 15-April-2005

[Platform]

The sky is falling! The sky is falling! :errr:

• The remaining six bugs, which affect both browsers, are capable of the following: [list:b944283877]
• One of the flaws enables certain pop-ups can execute malicious code on a system if the user opens the pop-up.
  
• A bug in the way windows and tabs are handled can allow malicious code from an untrusted site to execute in the context of another site.
  
• A bug involving the URLs of "favicons" icons allows JavaScript code to execute with escalated privileges.
  
• A bug in installing search plug-ins can allow malicious code execution, but it requires that the user be tricked into installing a specially crafted search plug-in.
  
• Input validation errors in InstallTrigger and other XPInstall-related JavaScript objects could allow malicious code execution.
  
• A problem with the "chrome" user-interface code in validating DOM nodes allowed several exploits that could lead to malicious code execution or data theft; the exploits could be activated by trivial user actions, such as clicking on a link.

The updates, to Version 1.0.3 of Firefox and Version 1.7.7 of Mozilla are available from the Firefox and Mozilla download pages. The project said a number of extensions were broken by the security fixes, but most extensions have now been revised to work. [/list:u:b944283877]



http://www.mozilla.org/news.html

 

[Buck]

Firefox automatically updated for me.

 

[Computer Generated Baby]

• A "highly critical" unpatched vulnerability in the Netscape browser could potentially allow hackers to compromise Internet users' systems..
  
  ...The buffer overflow vulnerability could cause the browser to crash. In addition, hackers could create Web sites to exploit the flaw, executing code of their choice on visitors' computers to gain access to users' systems, security company Secunia warned.
  
  The vulnerability has been confirmed in Netscape version 7.2 and has been reported in Version 6.2.3, according to the advisory, released late Tuesday. Other versions may also be affected, it said...

The cyberdrama never ends. Netscrape users beware! :errr:


http://www.infoworld.com/article/05/04/27/HNnetscapeflaw_1.html?source=NLC-AD2005-04-28

 

[Computer Generated Baby]

• O! :errr: [list:4518d02e55] My! :errr: [list:4518d02e55] Gawd! :errr:

[/list:u:4518d02e55] [/list:u:4518d02e55]

• 
  Exploit Code Chases Two Firefox Flaws
  Published on ZDNet News: May 9, 2005, 8:14 AM PT
  
  Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them. The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3...
  
  
  
  http://news.zdnet.com/2100-1009_22-5700204.html?tag=nl.e589
  
  

 

[Fushigi]

1.0.4 is out:

What's New 1.0.4

Firefox 1.0.4 is a security update that is part of our ongoing program to provide a safe Internet experience for our customers. We recommend that all users upgrade to this latest version.

Here's what's new in Firefox 1.0.4:

* Several security fixes.
* Fix to DHTML errors encountered at some web sites.

 

[GMac]

A temporary fix (stopping websites from installing software in Firefox) is easily achieved (I've already done so), and a more permanent solution (i.e version 1.0.4 which has the fix included) can be found here.

GM

 

[Fushigi]

I just click the update 'puzzle piece' on the top-right corner of FF.

 

[GIANT]

Hmmm... I can't believe I'm saying this, but, I actually LIKE Mozilla 1.7.7 Suite for the most part!

It's not nearly as clunky as it was some time back.

 

[i]

Hmmm... I can't believe I'm saying this, but, I actually LIKE Mozilla 1.7.7 Suite for the most part!

Take note: Mozilla is currently at version 1.7.8

 

[Corvair]

Take note: Mozilla is currently at version 1.7.8

Yes, I believe I downloaded 1.7.7 a week after FireFox 1.0.3 came out.

Then, a couple of weeks later, FireFox 1.0.4 came out, whch probably meant Moz 1.7.8 also followed closely -- or simultaneously -- with FireFox 1.0.4.

 

[Computer Generated Baby]

Jeez. How in hell did they manage this one? It seems like the old iFrame Injection flaw has somehow weazled its way back into the world of browzers. Firefox V1.0.5 here we come!

Maybe I'm starting to believe those rumours floating around about Moz is using stolen IE code. 8)



http://news.zdnet.com/2100-1009_22-5734121.html?tag=nl.e589