Film-Tech Cinema Systems
Film-Tech Forum ARCHIVE


  
my profile | my password | search | faq & rules | forum home
  next oldest topic   next newest topic
» Film-Tech Forum ARCHIVE   » Community   » Film-Yak   » Pair of 'Extremely Critical' Bugs Found in Firefox Today

   
Author Topic: Pair of 'Extremely Critical' Bugs Found in Firefox Today
Paul Mayer
Oh get out of it Melvin, before it pulls you under!

Posts: 3836
From: Albuquerque, NM
Registered: Feb 2000


 - posted 05-10-2005 12:27 AM      Profile for Paul Mayer   Author's Homepage   Email Paul Mayer   Send New Private Message       Edit/Delete Post 
Just saw this and thought I'd pass it along to all us Firefox users here:

quote:
May 09, 2005 (1:39 PM EDT)
'Extremely Critical' Bugs Found in Firefox

By Gregg Keizer, TechWeb News

A pair of unpatched vulnerabilities in Mozilla's Firefox Web browser -- rated as "extremely critical" by one security firm -- could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla said Sunday.

Because proof-of-concept code has been leaked -- as were the vulnerabilities -- before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions" or themes, from Web sites.

The vulnerabilities were discovered by a pair of security researchers, who had notified Mozilla earlier in the month, but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers.

According to Danish security vendor Secunia, which tagged the bugs with a highest "extremely critical" warning -- the first time it's used that to describe a Firefox flaw -- a hacker can trick the browser into thinking a download is coming from one of the by-default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org.

"Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit," the Foundation announced on its security site Sunday. Specifically, Mozilla re-pointed the two update sites to a new URL, and instructed users not to add that new site to their list of Allowed Sites. The change, however, only defends against the current proof-of-concept that's circulating, not the vulnerabilities themselves.

While that reduced the risk of an immediate attack, Mozilla doesn't have control over the numerous sites that users might have added to their Allow, or whitelist, list. Popular plug-ins, called "extensions" by Firefox, could also be the root of attacks, since users must give an extension site installation permission. To close all possible doors, Mozilla recommended that users either disable JavaScript or turn off installation from Web sites. To disable Web site software installs, users can select Tools/Options/Preferences in Firefox 1.0.3, the current edition. Users can still install extensions or user interface themes manually by first downloading the file, then running them from Firefox's File menu.

A security update -- which will be dubbed Firefox 1.0.4 -- will be issued as soon as possible. "Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update," the organization's security alert continued.

While the leaked information included proof-of-concept code that demonstrated how a malicious site could run code of the attacker's choice and install it on machines using Firefox, Mozilla discounted the risk. "There are currently no known active exploits of these vulnerabilities," it said Sunday. The release of Firefox 1.0.4 would be the fourth security update to the browser since the beginning of the year. Others appeared in late February, late March, and mid-April. In that time, Microsoft has released two patches for its Internet Explorer browser.


 |  IP: Logged

Adam Wilbert
Jedi Master Film Handler

Posts: 590
From: Bellingham, WA, USA
Registered: Mar 2002


 - posted 05-10-2005 02:41 AM      Profile for Adam Wilbert   Author's Homepage   Email Adam Wilbert   Send New Private Message       Edit/Delete Post 
thats it. I'm switiching to the safe IE browser. Nobody would exploit that one. [Smile]

thanks for the heads up.

 |  IP: Logged

Leo Enticknap
Film God

Posts: 7474
From: Loma Linda, CA
Registered: Jul 2000


 - posted 05-10-2005 06:43 AM      Profile for Leo Enticknap   Author's Homepage   Email Leo Enticknap   Send New Private Message       Edit/Delete Post 
Ironic, given that I've just this minute finished putting 1.0.3 on the laptop!

Thanks again - I've disabled the 'let websites install software' feature and will keep a lookout for the bug fix.

 |  IP: Logged

Monte L Fullmer
Film God

Posts: 8367
From: Nampa, Idaho, USA
Registered: Nov 2004


 - posted 05-10-2005 01:24 PM      Profile for Monte L Fullmer   Email Monte L Fullmer   Send New Private Message       Edit/Delete Post 
...what about "Crapscape" (Netscape)? - would this invite this problem as well, for I use Net 7.1 at times due to dbl browser usage. - Monte

 |  IP: Logged

Tim Reed
Better Projection Pays

Posts: 5246
From: Northampton, PA
Registered: Sep 1999


 - posted 05-12-2005 01:40 AM      Profile for Tim Reed   Author's Homepage     Send New Private Message       Edit/Delete Post 
quote: Leo Enticknap
I've disabled the 'let websites install software' feature and will keep a lookout for the bug fix.
Leo, there should be a little red arrow on display in the upper right-hand corner of the browser (just under the Maximize Window button). Click on it to update to version 1.0.4.

 |  IP: Logged

Leo Enticknap
Film God

Posts: 7474
From: Loma Linda, CA
Registered: Jul 2000


 - posted 05-12-2005 01:42 AM      Profile for Leo Enticknap   Author's Homepage   Email Leo Enticknap   Send New Private Message       Edit/Delete Post 
Got it - thanks.

 |  IP: Logged



All times are Central (GMT -6:00)  
   Close Topic    Move Topic    Delete Topic    next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:



Powered by Infopop Corporation
UBB.classicTM 6.3.1.2

The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion and agrees to release the authors from any and all liability.

© 1999-2020 Film-Tech Cinema Systems, LLC. All rights reserved.