196 replies to this topic

[AplusWebMaster]

FYI...

Firefox v3.0.9 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.9
- http://www.mozilla.c...irefox/all.html

Fixed in Firefox 3.0.9
- http://www.mozilla.o...ml#firefox3.0.9
MFSA 2009-22 Firefox allows Refresh header to redirect to java script: URIs
MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame
MFSA 2009-20 Malicious search plugins can inject code into arbitrary sites
MFSA 2009-19 Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString
MFSA 2009-18 XSS hazard using third-party stylesheets and XBL bindings
MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme
MFSA 2009-16 jar: scheme ignores the content-disposition: header on the inner URI
MFSA 2009-15 URL spoofing with box drawing character
MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

- http://secunia.com/advisories/34758/2/
Release Date: 2009-04-22
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.9...
CVE reference:
http://web.nvd.nist....d=CVE-2009-1302
http://web.nvd.nist....d=CVE-2009-1303
http://web.nvd.nist....d=CVE-2009-1304
http://web.nvd.nist....d=CVE-2009-1305
http://web.nvd.nist....d=CVE-2009-1306
http://web.nvd.nist....d=CVE-2009-1307
http://web.nvd.nist....d=CVE-2009-1308
http://web.nvd.nist....d=CVE-2009-1309
http://web.nvd.nist....d=CVE-2009-1310
http://web.nvd.nist....d=CVE-2009-1311
http://web.nvd.nist....d=CVE-2009-1312

Edited by AplusWebMaster, 22 April 2009 - 05:51 PM.
Added Secunia advisory and CVE refs...

[AplusWebMaster]

FYI...

Firefox v3.0.10 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.10
- http://www.mozilla.c...irefox/all.html

Fixed in Firefox 3.0.10
- http://www.mozilla.o...l#firefox3.0.10
MFSA 2009-23 Crash in nsTextFrame::ClearTextRun()

- http://cve.mitre.org...e=CVE-2009-1313

- http://secunia.com/advisories/34866/2/
Release Date: 2009-04-28
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.10...
Original Advisory: http://www.mozilla.o...fsa2009-23.html

Edited by AplusWebMaster, 28 April 2009 - 05:57 AM.
Added Secunia advisory info...

[AplusWebMaster]

FYI...

Firefox v3.0.11 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.11
- http://www.mozilla.c...irefox/all.html

Fixed in Firefox 3.0.11
- http://www.mozilla.o...l#firefox3.0.11
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-31 XUL scripts bypass content-policy checks
MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-26 Arbitrary domain cookie access by local file: resources
MFSA 2009-25 URL spoofing with invalid unicode characters
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)

- http://secunia.com/advisories/35331/2/
Release Date: 2009-06-12
Critical: Highly critical
Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.11 ...

Edited by AplusWebMaster, 12 June 2009 - 05:43 AM.
Added Secunia advisory link...

[AplusWebMaster]

FYI...

- http://support.mozil...d...irefox 3·5
"... To upgrade from Firefox 3.0.x, open the Help menu (from an Admin account) and click Check for Updates..."
(NOTE: Some add-on's may not be compatible until they are updated*)
-OR-
Firefox v.3.5 released / Download
- http://www.mozilla.c...ox/firefox.html
June 30th, 2009

Release Notes / *Known issues
- http://www.mozilla.c...5/releasenotes/

Security & Privacy
- http://www.mozilla.c...tures/#security

Video
- http://www.mozilla.c...?video=security

- http://www.f-secure....s/00001712.html
July 1, 2009 - "... when I installed Firefox 3.5 the Private Browsing option was disabled. What?..."

Firefox v3.5.1 patch to be released...
- http://www.theregist..._firefox_3_5_1/
3 July 2009
___

- https://wiki.mozilla...derbird_2.0.0.x
Firefox 3.0.12
* Code frozen as of Thursday last week
* Targeting mid/late-July release ...

- http://www.computerw...ticleId=9135001
June 30, 2009 - "... the kill date for Version 3.0 will be Dec. 31, 2009..."

Edited by AplusWebMaster, 04 July 2009 - 11:56 AM.
Added F-secure link...

[AplusWebMaster]

FYI...

Firefox memory corruption vuln - unpatched
- http://secunia.com/advisories/35798/2/
Release Date: 2009-07-14
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Mozilla Firefox 3.5.x
Solution: Do not browse untrusted websites or follow untrusted links...
Original Advisory: http://milw0rm.com/exploits/9137 ...

- http://www.us-cert.g...5_vulnerability
July 14, 2009

Per: http://voices.washin...ical_firef.html
July 14, 2009 - "... Fortunately, there is a relatively easy fix for this that can be reversed once Mozilla issues a patch. To disable the vulnerable component, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar. In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content". You should notice that beside that setting it reads "true," meaning the setting is enabled. If you just double-click on that setting, it should disable it, changing the option to "false." That's it.
Note that making this change will slow down Javascript rendering in Firefox 3.5 to 3.0 speeds, but that may be a worthwhile trade-off for readers concerned about the availability of exploit code for this flaw."
... 'Glad that Brian Krebs guy is around. :-)
Edit/add: Also found (later) here:
- http://blog.mozilla....-in-firefox-35/

- https://isc.sans.org...ml?storyid=6796
Last Updated: 2009-07-16 17:54:23 UTC ...(Version: 4) - "... this exploit has been spotted in the wild. The attacked just used Metasploit to create it and put a PoisonIvy client as the payload. Unfortunately, the payload has been packed with a packer that prevented some AV vendors so the detection isn't all that great..."

Edited by AplusWebMaster, 17 July 2009 - 05:19 PM.
Added US-CERT and Security Fix link...

[AplusWebMaster]

FYI...

Firefox v3.5.1 released

From an admin account, start Firefox, then >Help >Check for Updates
-OR-

Download Firefox v3.5.1
- http://www.mozilla.c...irefox/all.html

Complete list of changes in this version
- https://bugzilla.moz...verified1.9.1.1
> 22 bugs found.

- http://www.mozilla.o...fsa2009-41.html
July 16, 2009

- http://isc.sans.org/...ml?storyid=6817
Last Updated: 2009-07-17 07:17:02 UTC - "... if you applied the workaround by disabling the JIT in about:config, remember to turn it back on"

- http://www.mozilla.c...1/releasenotes/
Installing... Please note that installing Firefox 3.5 will overwrite your existing installation of Firefox. You won’t lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available. You can reinstall an older version later if you wish to downgrade.
> http://www.mozilla.c.../all-older.html
___

> https://wiki.mozilla...derbird_2.0.0.x
2009-07-13
• Firefox 3.0.12 ...
* final ship next week

Edited by AplusWebMaster, 17 July 2009 - 03:41 AM.

[AplusWebMaster]

FYI...

NEW vuln - FireFox 3.5.1 confirmed, exploit PoC, no patch
- http://isc.sans.org/...ml?storyid=6829
Last Updated: 2009-07-18 15:04:23 UTC - "Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available."
Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability
> http://www.securityf....com/bid/35707/
CVE-2009-2479
> http://web.nvd.nist....d=CVE-2009-2479
Last revised: 07/16/2009
CVSS v2 Base Score: 10.0 (HIGH)
>> http://xforce.iss.ne...orce/xfdb/51729
Reported: July 15, 2009
>> http://www.milw0rm.com/exploits/9158
[2009-07-15]

milw0rm 9158 “stack overflow” crash not exploitable (CVE-2009-2479)
- http://blog.mozilla....-cve-2009-2479/
07.19.09 - "In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is -not-, and we have seen no example of exploitability... we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly."

Edited by AplusWebMaster, 19 July 2009 - 06:52 PM.
Added Mozilla security blog reply...

[AplusWebMaster]

FYI...

Firefox v3.0.12 released
From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.12
- http://www.mozilla.c.../all-older.html

- http://www.mozilla.o...l#firefox3.0.12
Fixed in Firefox 3.0.12
MFSA 2009-40 Multiple cross origin wrapper bypasses
MFSA 2009-39 setTimeout loses XPCNativeWrappers
MFSA 2009-37 Crash and remote code execution using watch and __defineSetter__ on SVG element
MFSA 2009-36 Heap/integer overflows in font glyph rendering libraries
MFSA 2009-35 Crash and remote code execution during Flash player unloading
MFSA 2009-34 Crashes with evidence of memory corruption (rv:1.9.1/1.9.0.12)

- http://secunia.com/advisories/35914/2/
Release Date: 2009-07-22
Critical: Highly critical
Impact: System access, Cross Site Scripting
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x ...
Solution: Update to version 3.0.12 ...

Edited by AplusWebMaster, 22 July 2009 - 04:43 AM.
Added Secunia advisory link...

[AplusWebMaster]

FYI...

Firefox v3.5.2 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.c...irefox/all.html
v.3.5.2, released August 3rd, 2009

Release Notes: http://www.mozilla.c...2/releasenotes/

- http://www.mozilla.o...ml#firefox3.5.2
Fixed in Firefox 3.5.2
MFSA 2009-46 Chrome privilege escalation due to incorrectly cached wrapper
MFSA 2009-45 Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)
MFSA 2009-44 Location bar and SSL indicator spoofing via window.open() on invalid URL
MFSA 2009-38 Data corruption with SOCKS5 reply containing DNS name longer than 15 characters
___

Firefox v3.0.13 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.c.../all-older.html
v3.0.13, released August 3rd, 2009

Release Notes: http://www.mozilla.c...3/releasenotes/

- http://www.mozilla.o...l#firefox3.0.13
Fixed in Firefox 3.0.13
MFSA 2009-44 Location bar and SSL indicator spoofing via window.open() on invalid URL
MFSA 2009-43 Heap overflow in certificate regexp parsing
MFSA 2009-42 Compromise of SSL-protected communication
___

- http://secunia.com/advisories/36001/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: System access, Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x ...
Solution: Update to version 3.5.2 or 3.0.13...

- http://secunia.com/advisories/36088/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x
Solution: Update to version 3.0.13...
___

* https://wiki.mozilla...derbird_2.0.0.x
• short cycle release to fix new issues announced at BlackHat and Defcon
___

- http://www.eset.com/...ty-less-privacy
August 6, 2009 - "... a few days ago when I allowed Firefox to update to fix security vulnerabilities my privacy settings were reset to less private settings. I had Firefox set to clear the history on exit, and prompt me. I also had it set not to accept third party cookies. After the upgrade the settings were reset to defaults. I simply happened to notice that I wasn’t prompted when I closed Firefox... This is not a behavior that should be happening. Perhaps my computer is an anomaly and there is a conflict... At any rate, it is always a good idea to check the settings of your programs periodically, and especially after an update..."

Edited by AplusWebMaster, 16 August 2009 - 05:01 AM.

[AplusWebMaster]

FYI...

Firefox will check Flash...
- http://blog.mozilla....lugins-updated/
September 04, 2009 - "Starting with the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14, Mozilla will warn users if their version of the popular Adobe Flash Player plugin is out of date. Old versions of plugins can cause crashes and other stability problems, and can also be a significant security risk. For now our focus is on the Adobe Flash Player both because of its popularity and because some studies have shown that as many as 80% of users currently have an out of date version*..."
* http://blogs.zdnet.c...ecurity/?p=4097

- https://wiki.mozilla...derbird_2.0.0.x
WeeklyUpdates/2009-08-31
• Firefox 3.0.14 / Firefox 3.5.3
> on track for release next week

Edited by AplusWebMaster, 06 September 2009 - 05:20 AM.

[AplusWebMaster]

FYI...

Firefox v3.5.3 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.c...irefox/all.html
v.3.5.3, released September 9, 2009

- http://www.mozilla.o...ml#firefox3.5.3
Fixed in Firefox 3.5.3
MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
___

Firefox v3.0.14 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.c.../all-older.html
v3.0.14, released September 9, 2009

- http://www.mozilla.o...l#firefox3.0.14
Fixed in Firefox 3.0.14
MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-48 Insufficient warning for PKCS11 module installation and removal
MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
___

- http://secunia.com/advisories/36671/2/
Release Date: 2009-09-10
Critical: Highly critical
Impact: Security Bypass, Spoofing, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x ...
Solution: Update to version 3.0.14 or 3.5.3...

CVE reference:
http://web.nvd.nist....d=CVE-2009-3069
http://web.nvd.nist....d=CVE-2009-3070
http://web.nvd.nist....d=CVE-2009-3071
http://web.nvd.nist....d=CVE-2009-3072
http://web.nvd.nist....d=CVE-2009-3073
http://web.nvd.nist....d=CVE-2009-3074
http://web.nvd.nist....d=CVE-2009-3075
http://web.nvd.nist....d=CVE-2009-3076
http://web.nvd.nist....d=CVE-2009-3077
http://web.nvd.nist....d=CVE-2009-3078
http://web.nvd.nist....d=CVE-2009-3079

.

Edited by AplusWebMaster, 10 September 2009 - 08:55 PM.

[AplusWebMaster]

FYI...

- http://www.channelre...lnerable_flash/
17 September 2009 - "... Of the 6 million or so people who upgraded to either 3.5.3 or 3.0.14 of Firefox on its debut last Thursday, slightly more than 3 million of them were found to be running an outdated Flash version, according to Mozilla's Ken Kovash*. Sadly, only about 35 percent of those informed they had an insecure installation clicked on a link to upgrade to the latest version..."
* http://blog.mozilla....-upgrade-flash/

Edited by AplusWebMaster, 17 September 2009 - 05:22 AM.

[AplusWebMaster]

FYI...

Firefox blocks MS add-on to tighten security
- http://www.f-secure....s/00001794.html
October 17, 2009

// http://www.mozilla.c...US/plugincheck/

.NET Framework Assistant Blocked to Disarm Security Vulnerability
* http://blog.mozilla....-vulnerability/
10.16.09 - "... Mike Shaver, Mozilla’s Vice President of Engineering writes: I’ve previously posted** about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on. Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)"
** http://shaver.off.ne...ickonce-add-on/
02 June 2009

- http://support.microsoft.com/kb/963707
Last Review: June 2, 2009 - Revision: 2.3

- http://voices.washin...etly_insta.html
May 29, 2009 - "... to Microsoft - this is a great example of how not to convince people to trust your security updates..."

Edited by AplusWebMaster, 19 October 2009 - 07:59 AM.

[AplusWebMaster]

'Wish somebody would make up their mind!

- http://shaver.off.ne...port-unblocked/
18 October 2009 - "We received confirmation from Microsoft this evening that the Framework Assistant add-on is -not- a mechanism for exploiting the vulnerabilities detailed in the earlier post*, so we’ve removed it from the blocklist. As the blocklist update propagates to clients, the add-on should be re-enabled for users who had it previously enabled.
We’re hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist, and I’m working on a post to clarify the events of the past few days..."
* http://blog.mozilla....-vulnerability/
10.16.09

- http://www.theregist..._security_flap/
19 October 2009
- http://www.theinquir...-microsoft-plug
19 October 2009
- http://www.h-online....-on-832309.html
19 October 2009

- http://www.securityf....com/brief/1024
2009-10-20

- https://bugzilla.moz...g.cgi?id=522777
Last: 2009-10-20

Edited by AplusWebMaster, 20 October 2009 - 12:25 PM.

[AplusWebMaster]

FYI...

- http://www.java.com/...x_newplugin.xml
"In November 2009, the Mozilla Foundation will release version 3.6 of their popular internet browser, Firefox. Starting with Firefox 3.6, Java-based applications will NOT work unless you are running Java version 6 Update 10 or newer... Update your Java -before- updating to Firefox 3.6 and later versions..."