11-13-2008, 07:39 PM | #1 |
The Dreadnoks
Join Date: September 27, 2001
Location: Orlando, FL
Age: 61
Posts: 3,608
|
ATTN: FireFox Users:
There has been a post in reference to Firefox and script errors. Two articles hot off the press today. The first one is Firefox updates, including one which directly address' the Java script errors with "MFSA 2008-53 XSS". The second involves the chrome browser with Google.
November 12th, 2008 Firefox security makeover: 11 vulnerabilities, 4 critical Posted by Ryan Naraine @ 7:40 pm Categories: Patch Watch, Browsers, Vulnerability research, Responsible disclosure, Exploit code, Mozilla, Firefox, Denial of Service (DoS), Linux, Arbitrary Code Execution, Malware Tags: Mozilla Firefox, Vulnerability, JavaScript, Web Browser, Mozilla Corp., Web Browsers, Security, Internet, Ryan Naraine 21 TalkBacks 11 vulnerabilities, 4 critical Mozilla has released a new version of its flagship Firefox browser to fix a total of 11 vulnerabilities that expose users to code execution, information stealing or denial-of-service attacks. Four of the 11 flaws covered with the new Firefox 3.0.4 are rated “critical” because of the risk of code execution attacks via specially rigged Web pages. The four critical vulnerabilities are: * MFSA 2008-55 Crash and remote code execution in nsFrameManager. A vulnerability in part of Mozilla’s DOM constructing code can be exploited by modifying certain properties of a file input element before it has finished initializing. When the blur method of the modified input element is called, uninitialized memory is accessed by the browser, resulting in a crash. This crash may be used by an attacker to run arbitrary code on a victim’s computer. * MFSA 2008-54 Buffer overflow in http-index-format parser. This is a flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim’s computer. * MFSA 2008-53 XSS and JavaScript privilege escalation via session restore. The browser’s session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state. This vulnerability could also be used by an attacker to run arbitrary JavaScript with chrome privileges. * MFSA 2008-52 Crashes with evidence of memory corruption. Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. The Firefox update also fixes the following issues: * MFSA 2008-58 Parsing error in E4X default namespace * MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals * MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation * MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome * MFSA 2008-47 Information stealing via local shortcut files November 13th, 2008 Google Chrome vulnerable to data theft flaw Posted by Ryan Naraine @ 7:54 am Categories: Patch Watch, Browsers, Vulnerability research, Responsible disclosure, Spam and Phishing, Spyware and Adware, Data theft, Open source, Google, Arbitrary Code Execution, Google Chrome Tags: Google Inc., HTML, Flaw, Google Chrome, File, Security, Ryan Naraine 5 TalkBacks Google Chrome vulnerable to data theft flawGoogle has seeded a new version of its Chrome browser to developers with fixes for a pair of security issues that could expose users to data theft. The issue, rated as a “moderate” risk could allow hackers to use HTML files to steal arbitrary files from a victim’s machine. Details below: * r4188 and r4827 Address an issue with downloaded HTML files being able to read other files on your computer and send them to sites on the Internet. We now prevent local files from connecting to the network using XMLHttpRequest() and also prompt you to confirm a download if it is an HTML file. o Severity: Moderate. If a user could be enticed to open a downloaded HTML file, this flaw could be exploited to send arbitrary files to an attacker. The patch, which will eventually be rolled out via Chrome’s automatic update feature, also adds new features around bookmarking and pop-up blocking. Both articles can be found @ http://www.zdnet.com/
__________________
The Lizzie Palmer Tribute Let every nation know, whether it wishes us well or ill, that we shall pay any price, bear any burden, meet any hardship, support any friend, oppose any foe to assure the survival and the success of liberty. John F. Kennedy 35th President of The United States The Last Shot Honor The Fallen Jesus died for our sins, and American Soldiers died for our freedom. If you don't stand behind our Soldiers, please feel free to stand in front of them. |
11-14-2008, 03:30 AM | #2 |
Vampire
Join Date: January 29, 2003
Location: Sweden
Age: 43
Posts: 3,888
|
Re: ATTN: FireFox Users:
I don't use Chrome but I just updated to FF 3.0.4. Thanks for the warning.
__________________
Nothing is impossible, it's just a matter of probability. |
11-14-2008, 05:08 AM | #3 |
Jack Burton
Join Date: May 16, 2003
Location: Dartmouth, NS Canada
Age: 58
Posts: 5,634
|
Re: ATTN: FireFox Users:
I just got the pop-up the update last night. I didn't restart yet.
So, will this help with that stupid script message I get, or does this patch make things worse? ...I'm still tempted to go back to FF2.
__________________
A MAN WHO WANTS FOR NOTHING HAS INFINITE WEALTH. (me) |
11-14-2008, 06:27 AM | #4 |
The Dreadnoks
Join Date: September 27, 2001
Location: Orlando, FL
Age: 61
Posts: 3,608
|
Re: ATTN: FireFox Users:
As with any update, the intent is to "fix" as many issue as possible across a very mass spectrum of users, hardware, and systems. I read your issue to be Java related, and it is addressed in this patch. As with anything nowadays, nothing is guaranteed. FF2 is smother, but a bit dated, and has it's own series of issues.
__________________
The Lizzie Palmer Tribute Let every nation know, whether it wishes us well or ill, that we shall pay any price, bear any burden, meet any hardship, support any friend, oppose any foe to assure the survival and the success of liberty. John F. Kennedy 35th President of The United States The Last Shot Honor The Fallen Jesus died for our sins, and American Soldiers died for our freedom. If you don't stand behind our Soldiers, please feel free to stand in front of them. |
11-14-2008, 06:46 AM | #5 |
Jack Burton
Join Date: July 19, 2003
Location: an expat living in France
Age: 38
Posts: 5,577
|
Re: ATTN: FireFox Users:
I still prefer FF2, mostly due to the fact that I prefer the way the address bar worked in it...
__________________
|
11-14-2008, 07:06 AM | #6 |
Jack Burton
Join Date: May 16, 2003
Location: Dartmouth, NS Canada
Age: 58
Posts: 5,634
|
Re: ATTN: FireFox Users:
I never had any "issues" with FF2.
__________________
A MAN WHO WANTS FOR NOTHING HAS INFINITE WEALTH. (me) |
11-14-2008, 07:28 PM | #7 |
The Dreadnoks
Join Date: September 27, 2001
Location: Orlando, FL
Age: 61
Posts: 3,608
|
Re: ATTN: FireFox Users:
Transparent issues to most users. However, as fast, sleek, and more manageable as it felt to users, hackers found it to be just as 'nice'. *Most* users of the Internet may never experience an issue, others seem to delve upon issue presence. Really thou, it all depends on where you go, what you click while there, and how you manage your security settings.
__________________
The Lizzie Palmer Tribute Let every nation know, whether it wishes us well or ill, that we shall pay any price, bear any burden, meet any hardship, support any friend, oppose any foe to assure the survival and the success of liberty. John F. Kennedy 35th President of The United States The Last Shot Honor The Fallen Jesus died for our sins, and American Soldiers died for our freedom. If you don't stand behind our Soldiers, please feel free to stand in front of them. |
11-19-2008, 07:38 AM | #8 |
Harper
Join Date: March 21, 2001
Location: Lancs, England
Age: 39
Posts: 4,729
|
Re: ATTN: FireFox Users:
Not had any issues with any of them so far.
__________________
=@
|
11-19-2008, 08:58 AM | #9 |
Jack Burton
Join Date: May 16, 2003
Location: Dartmouth, NS Canada
Age: 58
Posts: 5,634
|
Re: ATTN: FireFox Users:
I find the latest version is slower.
__________________
A MAN WHO WANTS FOR NOTHING HAS INFINITE WEALTH. (me) |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | Search this Thread |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Firefox 2 | Memnoch | General Discussion | 8 | 10-25-2006 11:36 PM |
Is Firefox better then IE | toot033 | General Discussion | 64 | 10-22-2006 08:00 AM |
Firefox 1.0.4 is Out | LennonCook | General Discussion | 8 | 05-13-2005 07:47 PM |
IE >> Firefox | Blunderbuss | General Conversation Archives (11/2000 - 01/2005) | 5 | 12-18-2004 05:31 PM |
Firefox | Sir Degrader | General Conversation Archives (11/2000 - 01/2005) | 25 | 10-18-2004 08:31 AM |