lucky13

Mozilla fixes 10 Firefox flaws, half seen as ‘critical’:

Mozilla also patched potential identity leaks, spoofing bugs and cross-site scripting vulnerabilities in 2.0.0.13. But the fix that caught Storms’ eye was detailed by 2008-18, a fix for LiveConnect, a feature that harks back to Firefox’s predecessor, Netscape Navigator. LiveConnect lets Java applets call a Web page’s embedded JavaScript, or JavaScript access the Java runtime libraries, and it is used by both Firefox and Apple Inc.’s Safari 3 browser.

“Sun has updated the Java Runtime Environment with a fix for this problem. Mozilla has also added a fix to LiveConnect to protect users who don’t have the latest version of Java,” Mozilla said in the advisory.

“Here we have Firefox putting out a mitigation step for a bug in Java,” said Storms. “It’s a welcome addition when one vendor can help out another.”

All 10 vulnerabilities were also patched by the SeaMonkey Project, a separate open-source initiative that develops a multifunction browser suite.

The Thunderbird e-mail client, meanwhile, is affected by the five critical flaws listed in 2008-14 and 2008-15. “Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail,” read the first of the two bulletins. “This is not the default setting, and we strongly discourage users from running JavaScript in mail.”

A release date for Thunderbird 2.0.0.13 to fix the flaws has not been set. According to David Ascher, the head of Mozilla Messaging, the e-mailer’s update will follow Firefox’s by “several weeks.” In a post to his blog last week, Ascher cited several reasons why a simultaneous release of Thunderbird and Firefox updates was impossible. “Some of those resource contentions are due to not enough automation for the Thunderbird release process, and some of it is the consequence of not enough people with the right training,” he said.

Ascher defended the lag by noting that while JavaScript is turned on by default in Firefox, it is not in Thunderbird. “We could delay releasing Firefox until Thunderbird was ready, in the interest of mitigating the risk of someone using knowledge from the Firefox release to try and attack Thunderbird users,” said Ascher. “But that would mean leaving over 150 million users vulnerable. So, applying the correct math, we release Firefox security updates as soon as possible, and Thunderbird security updates as soon as possible.”

Nice that the Firefox people can help cover Sun’s asses but not Thunderbird’s.

Firefox update fixes critical security vulnerabilities:

A security vulnerability allows attackers to fake a borderless popup from a background tab using crafted web pages and place it in front of the user’s active tab. This could be used to spoof form elements and phish for data such as login data. Attackers can also circumvent the method used by some websites to protect against cross-site request forgery (CSRF) if server-side protection is based solely on referrer checking, as it is possible to fake the HTTP referrer (MSFA-2008-16). The Mozilla browser may reveal personal data if a user possesses a personal certificate which the browser presents automatically during SSL client authentication. According to security advisory MFSA-2008-17, following the update the browser asks the user before presenting the client certificate when it is requested by a website.

Most of the security vulnerabilities also affect the Thunderbird mail client and the Seamonkey browser suite. The security advisories refer to Thunderbird version 2.0.0.13 and Seamonkey 1.1.9, in which these bugs should be fixed. These versions are not yet, however, being distributed automatically. Firefox users should install the update without delay, as the vulnerabilities can be exploited using crafted web pages to inject trojans.

I was surprised by this when I fired up Windows today and was informed 2.0.0.13 was ready to install. User beware…

I read an article that the Mozilla folks are so proud of Firefox 3 beta 4 that they’re encouraging it for average users. So I decided I would give it a spin.

I downloaded the tarball and set it up in /opt. From a console, I opened it up. I got the first box asking if I wanted to import my bookmarks and settings from Seamonkey (which was installed by default in Vector, and which I manually upgraded rather than using their package because I didn’t want to slow my computer down with all the slick Vector imagery — an issue which I’ll address soon). I did. It then announced my settings were brought over and asked if I wanted the Mozilla search page or my existing home page. I selected my home page.

Then the fun began. Some Arabic writing appeared on the window title bar. And in the tab. My first concern was that I had downloaded an Arabic version instead of the American English one. Looked at it. Umm, nope. Got the right one.

Vector apparently opens to their website when browsers are fired up the first time. That’s another peeve of mine — when someone insists on including configurations that direct me to their sites (you think six links to different parts of the site aren’t enough? am I really important enough to count me when I run seamonkey and firefox the first time?). In the process I found out their site’s been hacked.

This is a later shot when I realized what was going on (and I left open a tab when checking on this to make sure the file I downloaded didn’t have any known issues). But you get the point.

When I realized what was going on, I decided to open the site in dillo and that’s when I found out the criminal did a bit more. Dillo displayed it, Firefox resulted in a 404.

Anyway, hitting a hacked site because the distro I’m using includes a hit to that page in the default install even if I don’t use their packaging has given me a more negative impression of Vector than Firefox. I’m sure others who are using Vector for the first time this evening have the same impression — maybe worse.

I haven’t had time to weigh how much better Firefox 3 behaves with respect to memory, nor have I had time to delve into any new features. So far I see a familiar interface that handles things identically to earlier versions. I’ll have more time this weekend to try it out.

Mozilla, Opera look to make video on the Web easier - Yahoo! News:

Firefox and Opera will support a new HTML tag specifically for embedding video in Web pages. As long as the browsers support a video’s specific codec, or encoding method, the browsers will then be able to play the video without launching third-party enabling software, said Chris Double, a Mozilla engineer. Mozilla and Opera are also working to support the royalty-free video codec Ogg Theora.

I know I mentioned this the other day but here’s more information. The vulnerability is in QuickTime Player 7.2 and 7.3, and iTunes versions through 7.4.

QuickTime proof-of-concept exploit published:

The exploit can also be used in a Web browser by having the user click on a URL. The attack has been tested against “some of the common Web browsers,” but with Internet Explorer 6/7 and Safari 3 Beta the attack is prevented.

Firefox users are not as lucky. Because Firefox allows users to play multimedia files in the QuickTime Player application, the current version of the exploit works perfectly against Firefox if users have chosen QuickTime as the default player for multimedia formats, according to Symantec.

Just a few days after Firefox issued a major security fix, along comes another update. Should this breed confidence or suspicion? I’m leaning toward suspicion.

Mozilla Firefox 2.0.0.11 Release Notes:

What’s New in Firefox 2.0.0.11
Release Date: November 30, 2007
Stability Update: This release corrects a problem that was found in the previous release, Firefox 2.0.0.10.

It’s out. Your browser should check for the update itself, but you can always speed up the process and select Help and check for updates.