21 Firefox vulnerabilities reported today

By OrangeSoul
in Back Page News

 Share

Recommended Posts

Experienced

+Cryton Subscriber²

Posted
  • Subscriber²
Posted (edited)

and neither did neowin.

The headline "Firefox Update Contains 21 Security Fixes" indeed _does_ imply that the most recently released update (to 1.5.0.2) contained 21 security fixes. Which it doesn't.
Late last week, the Mozilla foundation rolled out an update for Firefox, a web browser. Whilst they somewhat coyly alluded to a number of fixes in the version, it wasn't immediately clear the scale of fixes contained in the update. In case you were in any doubt, the number is 21
This STATES that the update contained 21 security fixes, which is TOTALLY wrong.

Otherwise, next time MS releases an IE patch, why not compare it to an unpatched IE5 and say "IE Update contains 200 security fixes!"

Edited by Cryton
Experienced

MMaster23

Posted
Posted

wow ... look at the firefox fanboys .. "Yeah most of them already upgraded" ... that doesn't mean that there weren't there. People are always talking **** about IE. Yeah IE had it's problems but hey it was one of the first webbrowsers on the Windows platform. And all you fanboys should also have a look at the latest IE6 and also the IE7 beta2. IE6 on XP SP2 + anti-virus is almost unhackable. I can safely browse the most spyware loaded website in IE6.0 without one infection.

So saying that Firefox is secure is just plain bull. The idiots that use it are just too stupid to admit that the browser isn't perfect. It's slow as hell ... hell even Safari is faster.

Thanks Secunia ... you made my day :)

Grand Master

bangbang023 Veteran

Posted
  • Veteran
Posted

wow ... look at the firefox fanboys .. "Yeah most of them already upgraded" ... that doesn't mean that there weren't there. People are always talking **** about IE. Yeah IE had it's problems but hey it was one of the first webbrowsers on the Windows platform. And all you fanboys should also have a look at the latest IE6 and also the IE7 beta2. IE6 on XP SP2 + anti-virus is almost unhackable. I can safely browse the most spyware loaded website in IE6.0 without one infection.

So saying that Firefox is secure is just plain bull. The idiots that use it are just too stupid to admit that the browser isn't perfect. It's slow as hell ... hell even Safari is faster.

Thanks Secunia ... you made my day :)

You come out and call people fan boys yet come across as an anti-Fx fanboy yourself. What's so hard about not being so biased towards any browser? Some people....

And, for the record, I don't think anyone in this thread has claimed Fx to be perfect or better than IE.

Grand Master

Julius Caro

Posted
Posted

wow ... look at the firefox fanboys .. "Yeah most of them already upgraded" ... that doesn't mean that there weren't there. People are always talking **** about IE. Yeah IE had it's problems but hey it was one of the first webbrowsers on the Windows platform. And all you fanboys should also have a look at the latest IE6 and also the IE7 beta2. IE6 on XP SP2 + anti-virus is almost unhackable. I can safely browse the most spyware loaded website in IE6.0 without one infection.

So saying that Firefox is secure is just plain bull. The idiots that use it are just too stupid to admit that the browser isn't perfect. It's slow as hell ... hell even Safari is faster.

Thanks Secunia ... you made my day :)

How did secunia make your day? By posting vulnerabilities that HAVE ALREADY BEEN PATCHED?

I guess we can't say that X or Y is the most secure browser. If IE is (or was) insecure, it is because it IS the main target, beeing the most used browser. And people are not wrong when they say that IE sucked, because Microsoft had simply stopped working on IE. They began to care when Firefox was released, and they released SP2.

Right now, with Firefox getting more and more users, vulnerabilities are to be expected. I think it's REALLY possitive that they get patched fastly.

Grand Master

zivan56

Posted
Posted

You can't compare vulnerabilities of open and closed source applications. Closed source programs can be really shoddily made and have thousands of exploits, but they are harder to find since you don't have the source available to the general public. Furthemore, you have people finding 'exploits' which are totally ridiculous (probably most of the listed ones can't be exploited unless you have someone making an extension which you install and they know how to find a location in memory which to overwrite (which is close to impossible)).

Another useful thing with open source programs is that anybody can write a patch to fix it, and it doesn't take 3+ months to do so (compatability testing included)

Rising Star

Sub_Zero_Alchemist

Posted
Posted

Another great reason to move to Opera, the fastest, most secure browser...Period.

Why bring Opera name into this thread, it has nothing to do with Firefox . and as for Opera being the most secure browser i doubt that,no browser is. if Opera gets popluar just as Firefox and IE, it going has these problems as well.

Mentor

macstorm

Posted
Posted

http://secunia.com/advisories/19631/

Description:

Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system.

1) An error exists where JavaScript can be injected into another page, which is currently loading. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) An error in the garbage collection in the JavaScript engine can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

3) A boundary error in the CSS border rendering implementation may be exploited to write past the end of an array.

4) An integer overflow in the handling of overly long regular expressions in JavaScript may be exploited to execute arbitrary JavaScript bytecode.

5) Two errors in the handling of "-moz-grid" and "-moz-grid-group" display styles may be exploited to execute arbitrary code.

6) An error in the "InstallTrigger.install()" method can be exploited to cause a memory corruption.

7) An unspecified error can be exploited to spoof the secure lock icon and the address bar by changing the location of a pop-up window in certain situations.

Successful exploitation requires that the "Entering secure site" dialog has been enabled (not enabled by default).

8) It is possible to trick users into downloading malicious files via the "Save image as..." menu option.

9) A JavaScript function created via an "eval()" call associated with a method of an XBL binding may be compiled with incorrect privileges. This can be exploited to execute arbitrary code.

10) An error where the "Object.watch()" method exposes the internal "clone parent" function object can be exploited to execute arbitrary JavaScript code with escalated privileges.

Successful exploitation allows execution of arbitrary code.

11) An error in the protection of the compilation scope of built-in privileged XBL bindings can be exploited to execute arbitrary JavaScript code with escalated privileges.

Successful exploitation allows execution of arbitrary code.

12) An unspecified error can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site via the window.controllers array.

13) An error in the processing of a certain sequence of HTML tags can be exploited to cause a memory corruption.

Successful exploitation allows execution of arbitrary code.

14) An error in the "valueOf.call()" and "valueOf.apply()" methods can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

15) Some errors in the DHTML implementation can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

16) An integer overflow error in the processing of the CSS letter-spacing property can be exploited to cause a heap-based buffer overflow.

Successful exploitation allows execution of arbitrary code.

17) An error in the handling of file upload controls can be exploited to upload arbitrary files from a user's system by e.g. dynamically changing a text input box to a file upload control.

18) An unspecified error in the "crypto.generateCRMFRequest()" method can be exploited to execute arbitrary code.

19) An error in the handling of scripts in XBL controls can be exploited to gain chrome privileges via the "Print Preview" functionality.

20) An error in a security check in the "js_ValueToFunctionObject()" method can be exploited to execute arbitrary code via "setTimeout()" and "ForEach".

21) An error in the interaction between XUL content windows and the history mechanism can be exploited to trick users into interacting with a browser user interface which is not visible.

Successful exploitation may allow execution of arbitrary code.

Solution:

Update to versions 1.0.8 or 1.5.0.2.

:laugh:

Mentor

ZTrang

Posted
Posted

And all you fanboys should also have a look at the latest IE6 and also the IE7 beta2. IE6 on XP SP2 + anti-virus is almost unhackable. I can safely browse the most spyware loaded website in IE6.0 without one infection.

Interesting - you've really enlightened me. So, ah, what's your IP address? I'm just... curious.... :whistle:

:laugh:

Will people please stop quoting the entire (very long) original post and then replying with a useless one-line response?

Grand Master

L3thal Veteran

Posted
  • Veteran
Posted

I'd just like to point out how none of these vulnerabilities were exploited. That's still one thing Firefox has over IE.

Do you have any proof that none were exploited? I mean, there were and still are 21 exploits (if you're not using .2) and its hard to believe no one exploited not a single one of those vulnerabilities.

Grand Master

Berserk87

Posted
Posted

wow ... look at the firefox fanboys .. "Yeah most of them already upgraded" ... that doesn't mean that there weren't there. People are always talking **** about IE. Yeah IE had it's problems but hey it was one of the first webbrowsers on the Windows platform. And all you fanboys should also have a look at the latest IE6 and also the IE7 beta2. IE6 on XP SP2 + anti-virus is almost unhackable. I can safely browse the most spyware loaded website in IE6.0 without one infection.

So saying that Firefox is secure is just plain bull. The idiots that use it are just too stupid to admit that the browser isn't perfect. It's slow as hell ... hell even Safari is faster.

Thanks Secunia ... you made my day :)

rofl :D u made me laugh! :laugh:

IE6 it not close to unhackable, almost everything is hackable, including firefox, they just havnt been found/designed yet.

and the spyware thing...since using firefox i get like 3 tracking cookies every now and then, when i used IE, i would get spyware al the time.

Grand Master

supernova_00

Posted
Posted

To clear some things up because reading a few of your guys comments and its clear you donno what your talking about.

Its like this. I report a vulnerbility throught mozilla's bugzilla and mark it as security. Mozilla fixes problem. New release. Mozilla released the info to secunia and public after a few days after release.

or its like this joe blow reports to secunia a problem and secunia posts it right away.

so this happend with these 21, people reported to mozilla or devs found them and not secunia and patches were made and a release was done.

Grand Master

XerXis

Posted
Posted

and the spyware thing...since using firefox i get like 3 tracking cookies every now and then, when i used IE, i would get spyware al the time.

cookies are cookies, you block them or you don't. there should be no difference between ff, opera and ie on that account. at least that's what i think

Veteran

Guol

Posted
Posted

Another great reason to move to Opera, the fastest, most secure browser...Period.

Nobody cares, mate..And anyway, you have nothing to prove it is more secure..

In fact, it could be so insecure that they have decided not to inform Secunia of the vulnerabilities..

@Raven or firefox 1.0, where does IE come in here?

It's interesting how these vulnerabilities are mentioned after an updated version is released. It's been a while before .1 was released, and those vulnerabilities were there at the time too. But once again, competition is good, wonder what ms thinks about these fixes.

Well IMO I think it's quite good, because it shows something is actually being done..

And yeh, great for competition.. :shifty:

wow ... look at the firefox fanboys .. "Yeah most of them already upgraded" ... that doesn't mean that there weren't there. People are always talking **** about IE. Yeah IE had it's problems but hey it was one of the first webbrowsers on the Windows platform. And all you fanboys should also have a look at the latest IE6 and also the IE7 beta2. IE6 on XP SP2 + anti-virus is almost unhackable. I can safely browse the most spyware loaded website in IE6.0 without one infection.

So saying that Firefox is secure is just plain bull. The idiots that use it are just too stupid to admit that the browser isn't perfect. It's slow as hell ... hell even Safari is faster.

Thanks Secunia ... you made my day :)

What the heck are you on about?? Really..

Yeh, us 'fanboys' have upgraded..good for us if we have the safety of our PC in our best interests, and don't want the vulnerabilitys to be exploited.

And guess what, smartass...my firefox upgraded for me on it's own accord! :p

"IE6 + SP2 + Anti-virus" is unhackable..Stop talking out of your ass..

How can AV's stop you from being hacked..I think you might be talking about a firewall there ;)

And how do you know that since you have SP2 there are no vulnerability's in IE..

OF COURSE THERE ARE..nothing is perfect..Believe me when I say the new IE7 is far from perfect..

Wake up to the light...might clear those misconceptions your mind seems to be filled with ;)

Guess what..nobody said Firefox is perfectly secure..But let me tell you this..Firefox is secure enough for me already, and with Mozilla releasing patches in such a short time I don't think I am very worried about being 'hacked'..

And another thing.. It looks to me like YOU'RE the idiot judging by your post..Didn't I just admit Firefox wasn't perfect? And believe me..only an idiot like you could make Firefox slow :laugh:

And what exactly are you thanking Secunia for? Pointing out what a great job Mozilla are doing at patching vulnerabilities? Wow, that's one thing I must agree with you on..

Great to see we finally have an understanding.. :cool:

I'd just like to point out how none of these vulnerabilities were exploited. That's still one thing Firefox has over IE.

Tell that to the poser I quoted above :rolleyes:

And at the actual article..Good job Mozilla for patching everything so fast, and Secunia for helping bring that information to the eye of the public.. :)

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted

Do you have any proof that none were exploited? I mean, there were and still are 21 exploits (if you're not using .2) and its hard to believe no one exploited not a single one of those vulnerabilities.

There are only 7 in 1.5.0.1 (18 in 1.0.7)

Experienced

+Cryton Subscriber²

Posted
  • Subscriber²
Posted

An update to 1.5.1.x would indicate an API changed that extension(s) use. So if firefox was bumped to 1.5.1.x then all your existing extensions would stop working until their <maxversion> was bumped to 1.5.1.* (Currently they should all be set to 1.5.0.*)

Since no API changes have been made, only security/stability fixes, then bumping 1.5.0.1 to 1.5.0.2 was the right thing to do; all extensions still work as they did before.

Rookie

Jzilla

Posted
Posted (edited)

Do you have any proof that none were exploited? I mean, there were and still are 21 exploits (if you're not using .2) and its hard to believe no one exploited not a single one of those vulnerabilities.

There are only 7 in 1.5.0.1 (18 in 1.0.8)

Well one can blame Secunia for making people assume right off the bat that it was referring to 1.5.0.2 with all 21 fixes.

http://www.mozilla.org/projects/security/k...rabilities.html

Most of those advisories don't affect 1.5.0.1. The ones at the start say they affect Firefox before 1.5.0.2, the rest say they affect Firefox before 1.5 when in fact only 7 fixes are featured in 1.5.0.2 compared to a whopping 18 in 1.0.8.

By the way for Firefox 1.0.8 unlike what they planned in the past they decided that 1.0.8 will be the last of the old Aviary1.0.1 Branch releases unless something comes up to warrant a 1.0.9

Edited by Jzilla
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.