Firefox 3.0.2 Released - dslreports.com

Forums » Up and Running » Security » Security » Firefox 3.0.2 Released


Uniqs: 1547	Share Topic:	RSS topic:	toggle: flat / full normal / watch	Posting:	Post a:	Post a:

Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal

Malvertisement on MSNBC.com using clipboard (copy/paste) »
« P2P Surprises

SUMware Premium join:2002-05-21	Firefox 3.0.2 Released Fixed in Firefox 3.0.2 MFSA 2008-44 resource: traversal vulnerabilities MFSA 2008-43 BOM characters stripped from JavaScript before execution MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution MFSA 2008-40 Forced mouse drag
	permalink · 2008-09-24 10:58:29 ·

DrModem Premium join:2006-10-19 USA	Re: Firefox 3.0.2 Released Hopefully this will fix those annoying crashes that wipe my cache all the time.
	permalink · 2008-09-24 11:11:54 ·

JTM1051
Premium,MVM
join:2000-07-08
Moorpark, CA

Re: Firefox 3.0.2 & 2.0.0.17 Released

Also Fx 2.0.0.17 released:

Vulnerabilities Fixed
MFSA 2008-45 XBM image uninitialized memory reading
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag
MFSA 2008-39 Privilege escalation using feed preview page and XSS flaw
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
MFSA 2008-37 UTF-8 URL stack buffer overflow

Fx 2.x Download Page

permalink · 2008-09-24 11:15:50 · Print ·

TKJunkMail Enjoy the sun Premium join:2002-03-03 Avalon, NJ ·Sprint Mobile Broa.. ·Comcast	Re: Firefox 3.0.2 & 2.0.0.17 Released More English like description of the security vulnerabilities that were patched. »news.cnet.com/8301-1009_3-100499···1_3-0-20
	permalink · 2008-09-24 15:36:32 ·

JTM1051 Premium,MVM join:2000-07-08 Moorpark, CA	Re: Firefox 3.0.2 & 2.0.0.17 Released said by TKJunkMail : More English like description of the security vulnerabilities that were patched. »news.cnet.com/8301-1009_3-100499···1_3-0-20 Just a FYI, at the Vulnerabilities Fixed, the links (e.g., "MFSA 2008-45) have more detailed descriptions -- IMHO looks like CNET basically used the same descriptions.
	permalink · 2008-09-24 16:25:06 · Print ·

avd706 insert annoying animated gif here Premium join:2003-02-06 Union, NJ	Re: Firefox 3.0.2 Released 3.0.2 build 6
	permalink · 2008-09-24 11:45:19 ·

roc5955 Premium join:2005-11-26 Rosendale, NY	Strange, as I was reading this message, I decided to see what version I have, and ver. 3.02 is downloading itself, as I type this! -- "Understanding is a three-edged sword."
	permalink · 2008-09-24 12:46:24 ·

SUMware
Premium
join:2002-05-21

From mozilla.dev.planning

From: Mike Beltzner
Date: Wed, 24 Sep 2008 21:38:37 -0400
Local: Wed, Sep 24 2008 9:38 pm
Subject: Firefox 3.0.3 required and underway

Hey everyone,

Shortly after releasing Firefox 3.0.2 our QA and Support teams began seeing reports of problems certain users were having with the Firefox Password Manager. This was being caused by non-ASCII data (in domains, logins or passwords) saved as something other than UTF-8 failing to convert back to Unicode (see bug 454708) which was a regression from a fix to make the Password Manager work on IDN sites with characters over U+0100 (see bug 451155).

The symptom is that users who have password data stores with non-ASCII data saved as something other than UTF-8 (more common for people who have saved passwords on IDN domains or non en-US domains) will not be able to access their saved passwords or create any new saved passwords. There is no permanent dataloss, the saved data is just inaccessible. While this doesn't affect all Firefox users, it is a significant regression and has triggered a fast-release Firefox 3.0.3 which will contain a single fix for this issue. Once released, this will restore the functionality for all users.

The fix has been landed and tested, and builds are coming out and being delivered to QA today. We hope to be releasing updates on the beta channel by early next week and issuing a release soon thereafter.

cheers,
mike

permalink · 2008-09-25 08:46:29 · Print ·

jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:

quote:
Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions.

Am I the only one that finds some of the vulnerability scenarios these days to be a stretch to the point that they're funny?
--
Ubuntu MOTU Developer and Forums Council

permalink · 2008-09-25 08:52:22 · Print ·

Kayrac
Premium
join:2001-09-29
Rochester, NH

Re: Firefox 3.0.2 Released

said by jdong

quote:
Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions.

Am I the only one that finds some of the vulnerability scenarios these days to be a stretch to the point that they're funny?

a stretch maybe, but alot of stupid users, and alot of smart bad guys these days

permalink · 2008-09-25 09:11:51 · Print ·

jdong Eat A Beaver, Save A Tree. Premium join:2002-07-09 Rochester, MI clubs:	Re: Firefox 3.0.2 Released Indeed it's good to patch up all of these holes, but also this means that when reading stats on number of discovered vulnerabilities, one needs to keep in mind the severity of those discovered too.... Being able to fool someone into dragging their mouse is not quite the same as a drive-by download and execution vulnerability. -- Ubuntu MOTU Developer and Forums Council
	permalink · 2008-09-25 09:15:02 ·

chachazz
Premium
join:2003-12-14

1 edit

Re: Firefox 3.0.2 Released

The candidate builds are already 'ready for testing':
Firefox 3.0.3: »ftp://ftp.mozilla.org/pub/firefox/nigh···/build1/

quote:
Please hammer on this build mercilessly to make sure that your stuff works with it! If you notice things that worked in Firefox 3 or Firefox 2.0.0.17 and do not work in this release, we would like to know about it right away.

Read the Release Notes:
Firefox 3.0.3: »en-us.www.mozilla.com/en-US/fire···senotes/

Bugs specifically addressed in this build:
# bug 451155 - Password manager does not work correctly on IDN site whose name contains any character over U+0100
# bug 454708 - storage-Legacy can throw when calling ConvertToUnicode

(email)
marcia, on behalf of
Team Mozilla QA

--
Gladiator Security Forum: www.gladiator-antivirus.com/

permalink · 2008-09-26 14:57:38 · Print ·

your comment..

Forums » Up and Running » Security » Security	Malvertisement on MSNBC.com using clipboard (copy/paste) » « P2P Surprises


Tuesday, 08-Dec 19:53:12	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF