Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Get your fresh Firefox updates InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Get your fresh Firefox updates

Published: 2006-09-15
Last Updated: 2006-09-15 12:59:19 UTC
by Joel Esler (Version: 2)
0 comment(s)
My Firefox just jumped up at me and said "You have some updates".

Version to be exact.  So what's new?  Well, Mozilla tells us over here.

MFSA 2006-64 (which, by the way, stands for Mozilla Foundation Security Advisory) -- "Crashes with evidence of memory corruption"
Looks like a memory corruption bug.
Mozilla says, "...we presume that at least some of these [bugs] could be exploited to run arbitrary code with enough effort."  So, get your patches!

MFSA 2006-62 -- Popup-blocker cross-site scripting (XSS)
More XSS stuff, except this time against the Popup-blocker feature.  Mozilla doesn't really view this as a big threat: "The malicious page would first have to get itself framed by the target page, attempt to open a popup, and then convince the user that the popup contents were so important or interesting that it must be opened manually."

MFSA 2006-61 -- Frame spoofing using
This vulnerability is kind of a reshash of this one.  "The victim site must first be opened in a new window (or tab) by the malicious site for this flaw to work."  Basically, be wary of any sites or windows, not opened by you.

MFSA 2006-60 -- RSA Signature Forgery
Looks like Philip Mackenzie and Marius Schilder over at Google found this one. 
"Because the set of root Certificate Authorities that ship with Mozilla clients contain some with an exponent of 3 it was possible to make up certificates, such as SSL/TLS and email certificates, that were not detected as invalid. This raised the possibility of the sort of Man-in-the-Middle attacks SSL/TLS was invented to prevent."
Good, I read about this one not too long ago on a couple mailing lists that I lurk on.

MFSA 2006-59 -- Concurrency-related vulnerability
Mozilla has this to say: "We have seen no demonstration that these crashes could be reliably exploited, but they do show evidence of memory corruption so we presume they could be."

MFSA 2006-58 -- Auto-Update compromise through DNS and SSL spoofing
DNS and SSL spoofing vulnerability.  Mozilla does offer some good advice on this one:
"Do not accept unverifiable (often self-signed) certificates as valid. If you must, accept them for the session only, never permanently."  Rule of thumb.

MFSA 2006-57 -- JavaScript Regular Expression Heap Corruption
"...a regular expression that ends with a backslash inside an unterminated character set (e.g. "[\\") will cause the regular epression engine to read beyond the end of the buffer, possibly leading to a crash." 

... and since Thunderbird uses the same browser engine as Firefox, you need to update it too!

Thunderbird update can be found here.
Firefoxes update can be found here.

OR!!!  (and better IMO), you can click on Help (in the title bar), and click on "Check for Updates...", and the program will update itself.  (At least that's where it is on my Mac)

Happy updating!

(ISC would like to thank Jack, Robert, Juha-Matti, and Brian for emailing us to let us know..  and in case you were wondering, Brian emailed us first.  He wins!)

I'd like to thank Sergio for pointing out that I missed #61.  Thanks Sergio.

0 comment(s)
Diary Archives