Moz? Firefox? Time to update if you haven't...

R

REM

From the UBCD4Win forum:

http://software.silicon.com/malware/0,3800003100,39152702,00.htm

----------------------------------------------------------------------------------


"How to attack Firefox' code appears on the net

Exploits freshly patched security flaw...
Add Comment Printer Friendly Email Story

By Joris Evers

Published: Monday 26 September 2005

Computer code that could be used to attack Firefox, Mozilla Suite and
Netscape users has been released on the internet.

The release of the attack code comes days after Mozilla released an
updated version of Firefox to fix several security flaws, including
the bug exploited by the code.

A fixed version of the Mozilla Suite is also available but
Firefox-based Netscape has yet to be updated. The Netscape browser is
a product of Netscape, which is a division of Time Warner's AOL
subsidiary. An AOL spokesman had no comment on Thursday.

The attack code exploits a vulnerability that was disclosed two weeks
ago. The flaw lies in the way the browsers handle International Domain
Names, which are web addresses that use international characters.
Hackers had been working to exploit the flaw and had said the code
would be released after fixes were available.

The exploit could let attackers run code remotely on vulnerable
computers and works on Firefox, Mozilla and, in some cases, Netscape,
according to security researcher Berend-Jan Wever, who published the
code. Mozilla has urged users to upgrade to the latest versions of its
products."

----------------------------------------------------------------------------------
 
A

Adam Piggott

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If I'm reading that article correctly and it is discussing the same exploit
that I think then it's written badly and could easily confuse readers. It's
also out of date.

Firefox 1.0.7, the current version, is not exploitable.

Wednesday, September 21st
http://www.mozillazine.org/talkback.html?article=7389

"Mozilla Firefox 1.0.7, a security and stability update to the flagship
Mozilla browser, is now available for download. Fixes are included for the
international domain name (IDN) link buffer overflow vulnerability..."

btw - not trying to knock you - quite the opposite, it's good that such
problems get attention. It's always best to point people towards a more
informative article that has, for example, a place to download the fixed
version etc :)

- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDP+jH7uRVdtPsXDkRAgGeAJ95EMVR/4GgRVTtiyOWf1leZ7jJlQCbBtXk
T8Vph1MpUD0yeo6Xr3i47BQ=
=Bd90
-----END PGP SIGNATURE-----
 
J

jimpgh2002

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


If I'm reading that article correctly and it is discussing the same exploit
that I think then it's written badly and could easily confuse readers. It's
also out of date.

Firefox 1.0.7, the current version, is not exploitable.
Dream on.
Hey, I use FF as my default browser, but I'll bet there are
still holes in FF and the more popular it becomes, the more it will be
exploited.
 
A

Adam Piggott

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dream on.
Hey, I use FF as my default browser, but I'll bet there are
still holes in FF and the more popular it becomes, the more it will be
exploited.

Indeed. I think you read my statement out of context though, as I was
speaking on the topic of a /specific/ exploit that I stated 1.0.7 wasn't
subject too.

I keep well aware that nothing is impervious :)

- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDQO/77uRVdtPsXDkRAsAUAKCYn29bfWgQC6uO66+DnVrajLAeYACeJ6mD
5AfwH9rtj4T2OgVfXfcyo3E=
=g69q
-----END PGP SIGNATURE-----
 
J

John Corliss

jimpgh2002 said:
Dream on.
Hey, I use FF as my default browser, but I'll bet there are
still holes in FF and the more popular it becomes, the more it will be
exploited.

Maybe so, but the Mozilla team tends to deal with such exploits *very*
quickly, as opposed to Microsoft who historically haven't done so with
IE exploits. Also, I notice that more and more websites are dumping
proprietary ActiveX and making their sites compatible with Firefox.
Continued growth in the use of Firefox can only be good for standards
compliance.

--
Regards from John Corliss
My current killfile: aafuss, Chrissy Cruiser, Slowhand Hussein and others.
No adware, cdware, commercial software, crippleware, demoware, nagware,
PROmotionware, shareware, spyware, time-limited software, trialware,
viruses or warez please.
 
J

jimpgh2002

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Indeed. I think you read my statement out of context though, as I was
speaking on the topic of a /specific/ exploit that I stated 1.0.7 wasn't
subject too.

Okay, my bad.
I keep well aware that nothing is impervious :)

Yeah, too bad we need to run firewalls, anti-virus software,
etc. to combat the bad guys.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top