July 20, 2009 - 9:51 am
Mozilla has confirmed a crash bug in the latest Firefox 3.5.1 related to how its JavaScript handle certain long Unicode strings that could lead to a crash on Mac OS X, Windows and Linux.
Mozilla states that despite what several media outlets and security organizations reported over the weekend, it is not an exploitable vulnerability that could lead to malicious code execution, so it is not a critical flaw.
July 14, 2009 - 5:19 pm
Mozilla has confirmed a critical security vulnerability disclosed yesterday by Milworm, that may lead to remote code execution.
As it is related to the new TraceMonkey JavaScript optimizer, users can mitigate it by temporarily disabling the optimizer. To do so:
- Enter about:config in the location bar to access advanced preferences.
- Look for javascript.options.jit.content and double click it to set it to false.
Mozilla reports that they are already working on a fix for the flaw and it will be released as soon as it becomes available.
March 27, 2009 - 6:55 pm
It turned out Mozilla only needed a couple of days to release the needed fixes for a couple of security vulnerabilities disclosed in the last few days. One uncovered last week during the CanSecWest Pwn2Own contest; the other published a couple of days ago by an Italian hacker.
While Firefox 3.0.8 fixes only these two critical security bugs, another was already on schedule for release on mid-April. I think this release may delay Firefox 3.0.9 release a bit, but should still come out in April.
To update, in the Help menu, select Check For Updates… and follow the onscreen instructions if you are not automatically prompted before that.
March 26, 2009 - 6:31 pm
Guido Landi, an Italian hacker, has disclosed the details of a previously unknown crashing bug including a proof of concept consisting of XML and XSL files that are loaded in an internal frame resulting in a Firefox 3.0.7 crash on all platforms.
There is no known exploit at this time, but since it has already been disclosed, Mozilla has decided to release the next Firefox update, 3.0.8, next week, about a week ahead of the targeted mid-April.
Mozilla’s Giorgio Maone explains a mitigation tip: “Like the vast majority of [crashing bugs, it] is not exploitable if you’ve got JavaScript and other active content disabled on the attacker site, because reliable exploitation requires scripting to “spray the heapâ€, i.e. to inject the malicious payload at the right places of your memory for execution. Therefore you can easily survive until the automatic update kicks in, if you don’t mind the possibility of an annoying but not dangerous crash.”
The bug does not affect the latest Firefox 3.5 nightlies and results in an expected XML parsing error.
June 19, 2008 - 12:49 pm
The same day Firefox 3 was shipping, Tipping Point, a research organization for vulnerability analysis and discovery, released an upcoming advisory (ZDI-CAN-349) about a new security vulnerability that could allow an attacker to execute arbitrary code, affecting Firefox 2 and 3 in their Zero Day Initiative site.
May 8, 2008 - 5:11 pm
In a post to Mozilla Security blog, Window Snyder, Mozilla Security Officer, confirmed a security threat reported a couple of days ago that has compromised Vietnamese language packs downloaded since February 18, 2008.
Apparentlly, the language pack author’s computer got infected with the HTML.Xorer virus which injected malicious scripts into Firefox’s localized help files to display unwanted ads. While not harmful at this point, the ads could be replaced with malware to compromise users’ computers.
April 18, 2008 - 5:00 pm
In a white paper released last week by PayPal, it announced that it will start showing warnings to customer who access its site using browsers that don’t support some way of web site identification and phishing protection.
“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts”, reads the white paper authored by Michael Barret and Dan Levy, PayPal’s Chief Information Security Officer and Senior Director of Risk Management for Europe, respectively.
April 10, 2008 - 4:29 pm
Symantec has released its latest Internet Security Threat Report that provides a fair amount of information on the status of Internet security.
According to the report, Mozilla-based browsers (including Firefox) account for the largest share of documented vulnerabilities, either acknowledged or not by the vendor, with a whooping 88 flaws (19 medium severity, 69 low), four times the number reported by Safari. Internet Explorer followed with 18 and Opera trails with only 12.
April 9, 2008 - 4:03 pm
Adobe has released an important security update (9.0.124) for its Flash Player plugin that addresses seven critical security vulnerabilities including the one exploited last week during the PWN 2 OWN hacking competition.
February 10, 2008 - 11:40 pm
Ronald van den Heetkamp disclosed in his blog, The Hacker Webzine, a Firefox bug affecting all versions including the just released 2.0.0.12 update.
The disclosed bug could allow a malicious web site to read files in your Firefox install directory (i.e. C:\ProgramFiles\Mozilla Firefox\ on Windows). For example, this proof of concept published by van den Heetkampo and hosted by Mozilla Links will display your allprefs.js file located in your machine.
