PDA

View Full Version : Firefox / Mozilla problems


Doc
02-08-2006, 06:10 AM
This just in:

==================================================

National Cyber Alert System

Technical Cyber Security Alert TA06-038A



Multiple Vulnerabilities in Mozilla Products

Original release date: February 7, 2006

Last revised: --

Source: US-CERT



Systems Affected

Mozilla software, including the following, is affected:

* Mozilla web browser, email and newsgroup client

* Mozilla SeaMonkey

* Firefox web browser

* Thunderbird email client



Overview

Several vulnerabilities exist in the Mozilla web browser and derived

products, the most serious of which could allow a remote attacker to

execute arbitrary code on an affected system.



I. Description

Several vulnerabilities have been reported in the Mozilla web browser

and derived products. More detailed information is available in the

individual vulnerability notes, including:



VU#592425 - Mozilla-based products fail to validate user input to the

attribute name in "XULDocument.persist"

A vulnerability in some Mozilla products that could allow a remote

attacker to execute Javascript commands with the permissions of the

user running the affected application.

(CVE-2006-0296)



VU#759273 - Mozilla QueryInterface memory corruption vulnerability

Mozilla Firefox web browser and Thunderbird mail client contain a

memory corruption vulnerability that may allow a remote attacker to

execute arbitrary code.

(CVE-2006-0295)



II. Impact

The most severe impact of these vulnerabilities could allow a remote

attacker to execute arbitrary code with the privileges of the user

running the affected application. Other impacts include a denial of

service or local information disclosure.



III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.

For Mozilla-based products that have no updates available, users are

strongly encouraged to disable JavaScript.



Appendix A. References

* Mozilla Foundation Security Advisories -

<http://www.mozilla.org/security/announce/>

* Mozilla Foundation Security Advisories -

<http://www.mozilla.org/projects/security/known-vulnerabilities.ht

ml>

* US-CERT Vulnerability Note VU#592425 -

<http://www.kb.cert.org/vuls/id/592425>

* US-CERT Vulnerability Note VU#759273 -

<http://www.kb.cert.org/vuls/id/759273>

* US-CERT Vulnerability Notes Related to February Mozilla Security

Advisories -

<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200

6>

* US-CERT Vulnerability Note VU#604745 -

<http://www.kb.cert.org/vuls/id/604745>

* CVE-2006-0296 -

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>

* CVE-2006-0295 -

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>

* Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>

* The SeaMonkey Project -

<http://www.mozilla.org/projects/seamonkey/>

OkeeDon
02-08-2006, 08:51 AM
I guess the only reason it seemed safer to use Firefox is because there weren't enough people using it for hackers to pay attention. It appears that Firefox has attracted enough users to gain critical mass, and turns out to be the same as IE or anything else. Nothing is perfect.

DaveNay
02-08-2006, 09:14 AM
I guess the only reason it seemed safer to use Firefox is because there weren't enough people using it for hackers to pay attention. It appears that Firefox has attracted enough users to gain critical mass, and turns out to be the same as IE or anything else. Nothing is perfect.

Except for the fact that if you are running Firefox 1.5, you have already been upgraded to the latest security fix 1.5.0.1, this type of security fix is automatic and usually quite timely after the discovery of the bug. I believe my browser updated itself sometime late last week.

This is in contrast to Microsoft where there was a known vulnerability, and there was a virus scheduled to attack that vulnerability on 2006-02-03, and yet MS was not going to release a fix for it until after that date, even though they already has the patch ready.

OkeeDon
02-08-2006, 09:26 AM
Sure, I agree; both my computers were automatically upgraded in timely fashion. My thoughts were more about the way Firefox was presented to folks who have a less intensive computer education. At that time (about the time I switched, within the last year), Firefox was represented by many to be "golden", not open to the vulnerabilities.

There still is an amateur flavor to Firefox; I lost my Spell Check plug-in when Firefox was upgraded, and I haven't found a replacement.

.

DaveNay
02-08-2006, 09:51 AM
I lost my Spell Check plug-in when Firefox was upgraded, and I haven't found a replacement.

There are two spell checking options I know of.


SpellBound (http://spellbound.sourceforge.net/)
Install the Google Toolbar (http://toolbar.google.com/firefox/) for Firefox
I don't use either one so I have no idea of their quality.

beds
02-08-2006, 11:25 AM
I was actually quite impressed with the auto-upgrade. It seemed to me to be far more professional than the IE option of checking for a security patch.

However, as a business user, if these upgrades were auto-executed and forced without any due diligence , there would be quite an outcry! We have to test IE upgrades and roll them out corporately and test patches and force them down the pipe.

Perhaps the difference is that Firefox is aiming primarily at personal users.

PBinWA
02-08-2006, 11:42 AM
Perhaps the difference is that Firefox is aiming primarily at personal users.

It's also free so any complaints pretty much fall on dead ears (or highly selective ears).