Contact Us Today! (215) 853-2266

Bardissi Enterprises Blog

Bardissi Enterprises has been serving the Hatfield area since 2000, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

LiveSecurity | Urgent: Latest Firefox Update Fixes Eight Security Flaws

Latest Firefox Update Fixes Eight Security Flaws

Severity: Medium

4 February, 2008

Summary:

This vulnerability affects: Firefox 3.0.5 (and previous versions) for Windows, Linux, and Macintosh

How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page

Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it

What to do: Upgrade to Firefox 3.0.6

Exposure:

Late yesterday, the Mozilla Foundation released Firefox 3.0.6, fixing approximately eight security vulnerabilities (based on CVE-IDs) in the popular web browser. We summarize three of the vulnerabilities below:

Latest Firefox Update Fixes Eight Security Flaws

Severity: Medium

4 February, 2008

Summary:

This vulnerability affects: Firefox 3.0.5 (and previous versions) for Windows, Linux, and Macintosh

How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page

Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it

What to do: Upgrade to Firefox 3.0.6

Exposure:

Late yesterday, the Mozilla Foundation released Firefox 3.0.6, fixing approximately eight security vulnerabilities (based on CVE-IDs) in the popular web browser. We summarize three of the vulnerabilities below:

Memory corruption vulnerabilities (2009-001). Firefox suffers from several crash bugs, which corrupt memory. Mozilla’s alert shares scant detail about these memory corruption flaws, but it does say the flaws lie within Firefox’s layout engine and its Javascript engine (the flaws also affect some other Mozilla-based products). Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. And if the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
Mozilla Impact rating: Critical

XSS vulnerability in chrome XBL method (2009-002). Firefox suffers from a cross-site scripting (XSS) vulnerability involving the way it handles a particular method (specifically, the chrome XBL method). By enticing one of your users into clicking a specially crafted link, an attacker can exploit this flaw to bypass the same origin policy. Among other things, this allows attackers to execute scripts under the context of a legitimate web site or read data from a legitimate site. For instance, if your users visit secure web sites which store sensitive data, an attacker might leverage this flaw to steal that sensitive data.
Mozilla Impact rating: High

XSS vulnerabilities in SessionStore (2009-003). Since version 2.x, Firefox has shipped with a SessionStore feature that saves your current browser session data. For example, if Firefox crashes when you have several web sites opened in various tabs, Firefox can recover all those tabs and web sessions when you re-run the program. Unfortunately, Firefox suffers from a convoluted security vulnerability involving the way SessionStore restores closed tabs. If an attacker knows the specific location of a file he’d like to steal, and can convince one of your users to close and then restore a Firefox tab, he can exploit this vulnerability to steal any file on that user’s computer.
Mozilla Impact rating: High

Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that this update fixes.

Solution Path:

Mozilla has updated Firefox 3, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.0.6 as soon as possible. We recommend that 1.5.x and 2.x users migrate to 3.0.6 now.

Windows

Linux

Mac OS X

Note: The latest versions of Firefox 3.0 automatically inform you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tabUpdate tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

For All Users:

Many of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.0.6, fixing these security issues.

References:

Firefox 3.0.6 Release Notes

Vulnerabilities Fixed in Firefox 3.0.6

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, 23 December 2024
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Blog Archive

Recent Comments

Tip of the Week: Which Headphones are Right for Your Needs?
23 April 2018
I will recommend Plantronics Backbeat Pro 2 SE Noise cancelling Headset with it's Great features.
Gamification: Make Business Fun for Everyone
27 January 2017
The world is based on the games. There are many types of games as per the aussie essay writing servi...
Let's Talk Tablets
12 January 2017
The concept of tablet is far better than that of PC because you can bring them with you everywhere a...
Tip of the Week: Tweak Your Workday in These 4 Ways and See Major Results
12 January 2017
The only thing will I will say regarding this blog is that it is very helpful at least for me. As I ...
WatchGuard Releases Version 10.2.7 for WSM, Edge, Fireware, and Fireware Pro
23 December 2016
I really needed to know about the fireware but i was confused that where can i find information abou...