In a post to Mozilla Security blog, Window Snyder, Mozilla Security Officer, confirmed a security threat reported a couple of days ago that has compromised Vietnamese language packs downloaded since February 18, 2008.

Apparentlly, the language pack author’s computer got infected with the HTML.Xorer virus which injected malicious scripts into Firefox’s localized help files to display unwanted ads. While not harmful at this point, the ads could be replaced with malware to compromise users’ computers.

Read the rest of this entry »

In a white paper released last week by PayPal, it announced that it will start showing warnings to customer who access its site using browsers that don’t support some way of web site identification and phishing protection.

“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts”, reads the white paper authored by Michael Barret and Dan Levy, PayPal’s Chief Information Security Officer and Senior Director of Risk Management for Europe, respectively.

Read the rest of this entry »

Symantec has released its latest Internet Security Threat Report that provides a fair amount of information on the status of Internet security.

According to the report, Mozilla-based browsers (including Firefox) account for the largest share of documented vulnerabilities, either acknowledged or not by the vendor, with a whooping 88 flaws (19 medium severity, 69 low), four times the number reported by Safari. Internet Explorer followed with 18 and Opera trails with only 12.

Read the rest of this entry »

Adobe has released an important security update (9.0.124) for its Flash Player plugin that addresses seven critical security vulnerabilities including the one exploited last week during the PWN 2 OWN hacking competition.

Read the rest of this entry »

Ronald van den Heetkamp disclosed in his blog, The Hacker Webzine, a Firefox bug affecting all versions including the just released 2.0.0.12 update.

The disclosed bug could allow a malicious web site to read files in your Firefox install directory (i.e. C:\ProgramFiles\Mozilla Firefox\ on Windows). For example, this proof of concept published by van den Heetkampo and hosted by Mozilla Links will display your allprefs.js file located in your machine.

Read the rest of this entry »

After further investigation, the severity of the chrome protocol directory traversal vulnerability disclosed last week has been raised from low to high by Mozilla Security.

The flaw, that affects some 600+ add-ons that are distributed as expanded files and folders instead of packed in a .jar file, could allow a malicious site to get access to user files in known locations.

Read the rest of this entry »

A vulnerability in how Firefox handles chrome: addresses, which are used to load specific Firefox and extensions’ interface elements like windows, buttons and dialogs, could allow a malicious site to access local files in known locations.

Read the rest of this entry »

Mozilla Security has confirmed a new vulnerability involving the QuickTime plugin originally published by the CERT following a public disclosure a few days before including a proof of concept.

Read the rest of this entry »

Mozilla has released Firefox 2.0.0.10, an update that fixes three security vulnerabilties rated as high.

The first of the bugs may allow a cross-site scripting (XSS) attack due to an error in handling JavaScript initiated window contents changes (window.location). Another one, fixes the well publicized jar: protocol flaw that could also allow cross site scripting attacks. Mozilla has tightened the conditions for loading jar: protocol URIs:

Support for the jar: URI scheme has been restricted to files served with a Content-Type header of application/java-archive or application/x-jar. Web applications that require signed pages must make sure their .jar archives are served with this Content-Type. Sites that allow users to upload binary files should make sure they do not allow these files to have one of these two MIME types.

There’s not much detail about the third one except it involves memory corruption.

Naturally, users are strongly encouraged to update: select Check for Updates… in the Help menu, or wait for Firefox to automatically prompt you to install the update in the next 48 hours.

Mozilla’s Dave Townsend has announced a proposal for enhancing Firefox add-ons update mechanism. The proposal gathers a number of suggestions made via forum and blog posts and Mozilla newsgroups after it was revealed that the current add-on update mechanism is unnecessarily vulnerable to middle-man attacks where a hacker could fake the actual update site and serve some malicious software instead, as previously reported on late May. Read the rest of this entry »