• Please be sure to read the rules and adhere to them. Some banned members have complained that they are not spammers. But they spammed us. Some even tried to redirect our members to other forums. Duh. Be smart. Read the rules and adhere to them and we will all get along just fine. Cheers. :beer: Link to the rules: https://www.forumsforums.com/threads/forum-rules-info.2974/

Firefox / Mozilla problems

Doc

Doc

Bottoms Up
Staff member
GOLD Site Supporter
This just in:

==================================================

National Cyber Alert System

Technical Cyber Security Alert TA06-038A



Multiple Vulnerabilities in Mozilla Products

Original release date: February 7, 2006

Last revised: --

Source: US-CERT



Systems Affected

Mozilla software, including the following, is affected:

* Mozilla web browser, email and newsgroup client

* Mozilla SeaMonkey

* Firefox web browser

* Thunderbird email client



Overview

Several vulnerabilities exist in the Mozilla web browser and derived

products, the most serious of which could allow a remote attacker to

execute arbitrary code on an affected system.



I. Description

Several vulnerabilities have been reported in the Mozilla web browser

and derived products. More detailed information is available in the

individual vulnerability notes, including:



VU#592425 - Mozilla-based products fail to validate user input to the

attribute name in "XULDocument.persist"

A vulnerability in some Mozilla products that could allow a remote

attacker to execute Javascript commands with the permissions of the

user running the affected application.

(CVE-2006-0296)



VU#759273 - Mozilla QueryInterface memory corruption vulnerability

Mozilla Firefox web browser and Thunderbird mail client contain a

memory corruption vulnerability that may allow a remote attacker to

execute arbitrary code.

(CVE-2006-0295)



II. Impact

The most severe impact of these vulnerabilities could allow a remote

attacker to execute arbitrary code with the privileges of the user

running the affected application. Other impacts include a denial of

service or local information disclosure.



III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.

For Mozilla-based products that have no updates available, users are

strongly encouraged to disable JavaScript.



Appendix A. References

* Mozilla Foundation Security Advisories -

<http://www.mozilla.org/security/announce/>

* Mozilla Foundation Security Advisories -

<http://www.mozilla.org/projects/security/known-vulnerabilities.ht

ml>

* US-CERT Vulnerability Note VU#592425 -

<http://www.kb.cert.org/vuls/id/592425>

* US-CERT Vulnerability Note VU#759273 -

<http://www.kb.cert.org/vuls/id/759273>

* US-CERT Vulnerability Notes Related to February Mozilla Security

Advisories -

<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200

6>

* US-CERT Vulnerability Note VU#604745 -

<http://www.kb.cert.org/vuls/id/604745>

* CVE-2006-0296 -

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>

* CVE-2006-0295 -

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>

* Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>

* The SeaMonkey Project -

<http://www.mozilla.org/projects/seamonkey/>

 
O

OkeeDon

New member
I guess the only reason it seemed safer to use Firefox is because there weren't enough people using it for hackers to pay attention. It appears that Firefox has attracted enough users to gain critical mass, and turns out to be the same as IE or anything else. Nothing is perfect.
 
DaveNay

DaveNay

Klaatu barada nikto
SUPER Site Supporter
OkeeDon said:
I guess the only reason it seemed safer to use Firefox is because there weren't enough people using it for hackers to pay attention. It appears that Firefox has attracted enough users to gain critical mass, and turns out to be the same as IE or anything else. Nothing is perfect.
Click to expand...

Except for the fact that if you are running Firefox 1.5, you have already been upgraded to the latest security fix 1.5.0.1, this type of security fix is automatic and usually quite timely after the discovery of the bug. I believe my browser updated itself sometime late last week.

This is in contrast to Microsoft where there was a known vulnerability, and there was a virus scheduled to attack that vulnerability on 2006-02-03, and yet MS was not going to release a fix for it until after that date, even though they already has the patch ready.
 
O

OkeeDon

New member
Sure, I agree; both my computers were automatically upgraded in timely fashion. My thoughts were more about the way Firefox was presented to folks who have a less intensive computer education. At that time (about the time I switched, within the last year), Firefox was represented by many to be "golden", not open to the vulnerabilities.

There still is an amateur flavor to Firefox; I lost my Spell Check plug-in when Firefox was upgraded, and I haven't found a replacement.

.
 
DaveNay

DaveNay

Klaatu barada nikto
SUPER Site Supporter
OkeeDon said:
I lost my Spell Check plug-in when Firefox was upgraded, and I haven't found a replacement.
Click to expand...

There are two spell checking options I know of.

I don't use either one so I have no idea of their quality.
 
B

beds

New member
I was actually quite impressed with the auto-upgrade. It seemed to me to be far more professional than the IE option of checking for a security patch.

However, as a business user, if these upgrades were auto-executed and forced without any due diligence , there would be quite an outcry! We have to test IE upgrades and roll them out corporately and test patches and force them down the pipe.

Perhaps the difference is that Firefox is aiming primarily at personal users.
 
XeVfTEUtaAqJHTqq

XeVfTEUtaAqJHTqq

Master of Distraction
Staff member
SUPER Site Supporter
beds said:
Perhaps the difference is that Firefox is aiming primarily at personal users.
Click to expand...

It's also free so any complaints pretty much fall on dead ears (or highly selective ears).
 
You must log in or register to reply here.
Top