Contact Us Today! (215) 853-2266

Bardissi Enterprises Blog

Bardissi Enterprises has been serving the Hatfield area since 2000, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Bardissi Enterprises: Watchguard LiveSecurity: Firefox 3.0.8 Update Fixes Pwn2Own and Zero Day Flaws

Severity: Medium

March 30, 2009

Summary:
  • This vulnerability affects: Firefox 3.0.7 (and previous versions) for Windows, Linux, and Macintosh
  • How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.0.8
Severity: Medium

March 30, 2009

Summary:
  • This vulnerability affects: Firefox 3.0.7 (and previous versions) for Windows, Linux, and Macintosh
  • How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.0.8

Exposure:
Late Friday, the Mozilla Foundation released Firefox 3.0.8, fixing two zero day security vulnerabilities in their popular web browser. We summarize the vulnerabilities below:
  • XSL transformation vulnerability (2009-012). Firefox suffers from a flaw that Mozilla describes as an XSL transformation vulnerability. Firefox doesn’t properly parse a particular Extensible Stylesheet Language (XSL) element, which could lead to a memory corruption. By enticing you to a malicious web site containing a specially crafted XSL element, a remote attacker could exploit this memory corruption to either crash Firefox, or potentially execute code on your computer with your privileges. If you have local administrative, or root privileges, the attacker could leverage this flaw to gain complete control of your machine. This is the same zero day flaw we described in a Wire post last week. Mozilla Impact rating: Critical
  • XUL tree element code execution vulnerability (2009-013). Firefox suffers from a code execution flaw involving the way it handles a particular XML User Interface Language (XUL) method. By enticing one of your users to a malicious web site, a remote attacker could exploit this flaw to execute code on that user’s computer with that user’s privileges. If your users have local administrative, or root privileges, the attacker could leverage this flaw to gain complete control of their machines. This is one of the Pwn2Own browser vulenrabilities we described in a Wire post a few weeks ago.
Mozilla Impact rating: Critical
Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that this update fixes. Since this update fixes zero day vulnerabilities, we consider it a high priority. A researcher has already released exploit code for one of these flaws. The other was very publicly exposed at a popular security conference. We expect malicious attackers to quickly begin leveraging at least one of these flaws so you should patch as quickly as you can.

Solution Path:
Mozilla has updated Firefox 3, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.0.8 as soon as possible. We recommend that 1.5.x and 2.x users migrate to 3.0.8 now. Note: The latest versions of Firefox 3.0 automatically inform you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

For All Users:
Many of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:
The Mozilla Foundation has released Firefox 3.0.8, fixing these security issues.

References:
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, 23 December 2024
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Blog Archive

Recent Comments

Tip of the Week: Which Headphones are Right for Your Needs?
23 April 2018
I will recommend Plantronics Backbeat Pro 2 SE Noise cancelling Headset with it's Great features.
Gamification: Make Business Fun for Everyone
27 January 2017
The world is based on the games. There are many types of games as per the aussie essay writing servi...
Let's Talk Tablets
12 January 2017
The concept of tablet is far better than that of PC because you can bring them with you everywhere a...
Tip of the Week: Tweak Your Workday in These 4 Ways and See Major Results
12 January 2017
The only thing will I will say regarding this blog is that it is very helpful at least for me. As I ...
WatchGuard Releases Version 10.2.7 for WSM, Edge, Fireware, and Fireware Pro
23 December 2016
I really needed to know about the fireware but i was confused that where can i find information abou...