Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

FF/TB Updates

Published: 2006-12-19
Last Updated: 2006-12-20 01:54:08 UTC
by Tom Liston (Version: 1)
0 comment(s)
A slew of security fixes are being rolled out for FireFox and Thunderbird.  The patches, which will take FireFox to version 2.0.0.1 or 1.5.0.9 and Thunderbird to 1.5.0.9 fix critical security flaws such as XSS (cross-site scripting) issues, privacy leaks when retrieving RSS feeds, a flaw in SVG / DOM handling, and a cursor image overflow in FireFox.  Thunderbird gets fixes for a mail header overflow and inherits several of the FF fixes as well.  As I write this, the new code doesn't appear to be available, but expect the auto-update feature to kick in soon...

More info: http://www.mozilla.org/security/

UPDATE:

The links are now live and you can download this manually, but the auto-update feature is not there yet. Here's the list of security fixes in Firefox version 2.0.0.1:

XSS using outer window's Function object
RSS Feed-preview referrer leak
Mozilla SVG Processing Remote Code Execution
XSS by setting img.src to javascript: URI
LiveConnect crash finalizing JS objects
Privilege escallation using watch point
CSS cursor image buffer overflow (Windows only)
Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)

Keywords:
0 comment(s)
Diary Archives