 fundamentalsThe Basics
Premium Member
join:2004-04-30
Moorpark, CA
1 edit |
Firefox 1.3 PatchedI fired up firefox just now, and apparently the security holes that were discovered have been patched. That was a fast patch time, though i suppose secunia may have notified the dev's a while back |
|
 tempnexus
Premium Member
join:1999-08-11
Boston, MA |
didn't happen to me.
How do you know it's patched? Which build is it showing? |
|
 EGeezer
Premium Member
join:2002-08-04
Midwest |
to fundamentals
Thanks for the update - It's good to find out there's a fix. I went to Firefox Central, then to the security center( » www.mozilla.org/security ··· y_Alerts ). The latest news is April 15, 2005 with no information there on the present vulnerabilities, workarounds or fixes. The official list of known vulnerabilities, » www.mozilla.org/projects ··· ies.html has no current information either. I have noticed these delays in the "user level" pages mentioned above in previous security issues. The lack of acknowledgment, information and availability of fixes is to say the least, disconcerting. As FF becomes more popular and a more productive target for exploiters, the need for current information at the "Security Center" or Firefox Central will be greater. Users shouldn't have to get all their information and notices from third party sites. If they are to continue their progress into the marketplace, this needs to be fixed. |
|
 storm64007
Premium Member
join:2001-05-21
Freeport, NY |
to tempnexus
said by tempnexus:didn't happen to me. How do you know it's patched? Which build is it showing? Ditto. No patch here. |
|
 salzanExperienced Optimist
Premium Member
join:2004-01-08
WA State |
to fundamentals
The only info I can find on mozilla.org is this thread in "bugs": » forums.mozillazine.org/v ··· t=262520There is a workaround for the install issue but no real fixes or patches seem to be available for either that or the IFRAME issue. |
|
fundamentalsThe Basics
Premium Member
join:2004-04-30
Moorpark, CA |
my version is: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3.
The reason i thought it was updated was because my auto update notification popped up, and it told me that there were updates available. I went to the updater, and it listed a fix for firefox 1.3. At the bottom, in the description it said "Update now to protect your computer from attacks". I downloaded it, and when it finished it brought up the firefox installer, and i had to reinstall firefox. I assumed that since there were security holes recently announced, that the fix had been released. I could be mistaken, but one way to find out would be to manually run the updater and see if it comes up |
|
 Faram
Premium Member
join:2002-03-27
Sweden |
Faram
Premium Member
2005-May-9 3:13 am
That explains it. It is firefox 1.0.3 that has the new security holes. » secunia.com/advisories/15292/You had a Firefox older than 1.0.3 and updated to it, but it is still at risk from those new security holes. |
|
EGeezer
Premium Member
join:2002-08-04
Midwest |
to fundamentals
Update - FF - no patch available (09 May 10:22EDT)My faith in the mozilla security alerts is restoring as I post  said by »www.mozilla.org/security ··· y_Alerts :
Security Advisory (May 8, 2005) The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7th.
There are currently no known active exploits of these vulnerabilities although a "proof of concept" has been reported. Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update.
Users can further protect themselves today by temporarily disabling JavaScript.
EG |
|
B04
Premium Member
join:2000-10-28 |
B04
Premium Member
2005-May-9 10:58 am
Re: Update - FF - no patch available (09 May 10:22Nah, as noted by others at Slashdot and in the following excerpt from » www.mozillazine.org/talk ··· cle=6582 (linked off the Moz front page), that advice is way overkill -- you just have to disable "software installation". -- B Mozilla Arbitrary Code Executation Security Flaw
Sunday May 8th, 2005
A security flaw that allows a malicious site to execute arbitrary code on a user's system has been discovered in Mozilla Firefox. Secunia has probably the one of the more accurate and concise write-ups of the code execution vulnerability. It appears to be the first "Extremely critical" Firefox flaw logged by Secunia.
The advisory explains that a successful attack involves exploiting two flaws: one involves tricking Firefox into thinking a software installation is being triggered by a whitelisted site, while the other relies on the software installation trigger not sufficiently checking icon URLs containing JavaScript code. The Secunia advisory suggests disabling JavaScript as a workaround; however, simply disabling software installation (Web Features panel of the Options/Preferences window in Firefox 1.0.3 or the Content panel in the latest trunk builds) eliminates the problem. |
|
EGeezer
Premium Member
join:2002-08-04
Midwest
1 edit |
EGeezer
Premium Member
2005-May-9 11:20 am
Re:choosing the workaround poison...I've seen conflicting information in Secunia, Mozilla and other places - some say disable install, some say disable scripting, some say both - I chose to post the "official" security alert texy and link simply because it appeared to be just that - official. Looks like Secunia et. al. are ahead of Mozilla in updating the advisoriesGood to know the options and varying answers, though, so users of various paranoia levels can choose their own poison.  |
|
B04
Premium Member
join:2000-10-28 |
B04
Premium Member
2005-May-9 11:24 am
See that's the problem -- I choose Mozilla suite, and there's not much there.
I don't THINK it's affected at all, but I'm not sure. (I don't feel like checking exploit demos.)
Since the suite's whitelist is empty (and deactivated) by default, it's probably immune in any case.
-- B |
|
EGeezer
Premium Member
join:2002-08-04
Midwest
1 edit |
EGeezer
Premium Member
2005-May-9 12:09 pm
B04 , looks like the changes in the Mozilla extension D/L page seem to have thwarted the exploit POC I tried. I hadn't tried disabling in various combinations of Java, scripting, install prior to the change  Looks like we can only speculate on the dead horse at this point. |
|
 JTM1051
MVM
join:2000-07-08
Moorpark, CA |
to B04
Mozilla Foundation Security Advisory 2005-42Description
Two vulnerabilities were found in Mozilla Firefox that combined allow an attacker to run arbitrary code. The Mozilla Suite is only partially vulnerable.
By causing a frame to navigate back to a previous javascript: url an attacker can inject script into any site. This could be used to steal cookies or sensitive data from that site, or to perform actions on behalf of that user. (Affects Firefox and the Suite).
A separate vulnerability in the Firefox install confirmation dialog allows an attacker to execute arbitrary code by using a javascript: URL as the package icon. By default only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability described above enables this to be exploited from any malicious site.
The Mozilla Foundation has modified the update servers to prevent their use in this attack, but this is only partial protection.
Workaround
Disable Javascript. Software updates can be disabled, but that protects only against the second issue and not the first. |
|
|
 bcool
Premium Member
join:2000-08-25 |
to EGeezer
said by EGeezer:Good to know the options and varying answers, though, so users of various paranoia levels can choose their own poison. Now that was just clever. And so true... |
|
 Marilla9I Am My Own Arbiter
Premium Member
join:2002-12-06
Belpre, OH |
to JTM1051
said by JTM1051:WorkaroundDisable Javascript. Software updates can be disabled, but that protects only against the second issue and not the first. I was under the impression that both vulnerabilities needed to be used together in order to run 'code-of-choice', so that while disabling software updates/downloads might only address one of the issues, that's enough to prevent exploitation without user-intervention? |
|
| Marilla9 |
to JTM1051
said by JTM1051:WorkaroundDisable Javascript. Software updates can be disabled, but that protects only against the second issue and not the first. I was under the impression that the two issues needed to be exploited together in order to permit 'code of choice' to be run, without user intervention... so even though disabling software installs only prevents one avenue, that's enough to successfully mitigate here. |
|
 javaManThe Dude abides.
MVM
join:2002-07-15
San Luis Obispo, CA |
said by Marilla9:said by JTM1051:WorkaroundDisable Javascript. Software updates can be disabled, but that protects only against the second issue and not the first. I was under the impression that the two issues needed to be exploited together in order to permit 'code of choice' to be run, without user intervention... so even though disabling software installs only prevents one avenue, that's enough to successfully mitigate here. That was my impression as well. I haven't look closely at the issue but from what I've read it would seem to me that disabling automatic installations should be sufficient since this is necessary in order for the JavaScript exploit to have an effect. But I've been known to be mistaken. |
|
Looks like we can only speculate on the dead horse at this point. 
