Code demonstrating a serious exploit of Firefox versions *prior to
1.0.5* has been released.
This would be a good opportunity to have your users upgrade to
either Firefox version 1.0.7 - the more conservative upgrade path -
or 1.5. (More on version 1.5 below.)
Joris Evers
"Attack code out for old Firefox bug"
CNET News.com, December 13, 2005
<http://news.com.com/Attack+code+out+for+old+Firefox+bug/2100-7349_3-5994026.html>
As the article states, "[this demonstration] code doesn't do much
harm, but he [its author] notes it would be easy to turn it into
malicious code that commandeers a vulnerable system."
"The vulnerability is in the way the Web browsers handle
JavaScript, according to a Mozilla alert
[<http://www.mozilla.org/security/announce/mfsa2005-50.html>] dated
July 12, the day Firefox 1.0.5 was released. An attacker could craft
a malicious Web site that, when accessed by a vulnerable PC, could
let a attacker run code on that system without the owner realizing
it."
Although, according to the article, the code demonstrating this
exploit is apparently specific to Windows, earlier versions of
Firefox also have a modest number of security vulnerabilities,
serious and otherwise, which may also affect users of that browser on
Mac OS X, Linux, and Unix.
For protection from the known security vulnerabilities in Firefox,
users should either be using Firefox 1.0.7 - the latest release in
the 1.0 series - or the recently-released Firefox 1.5. The list of
known vulnerabilities is at:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
A few notes about Firefox 1.5
-----------------------------
Firefox 1.5 for the first time includes a feature that will
automatically notify users of updates - including those required to
resolve security vulnerabilities - as well as a related feature that
should make it quicker and easier to download and install updates.
However, it should be noted that, as with any version upgrades, a
minority of users upgrading from Firefox 1.0.x to 1.5 may experience
problems. As just one example, the upgrade may cause some
third-party Firefox extensions to no longer function, until they can
be replaced by 1.5-compatible upgrades - if their authors will
provide them - as described in this DesktopLinux.com article
<http://www.desktoplinux.com/news/NS2432314568.html>.
For a brief perspective on why you might - or might not - want to
upgrade your users to 1.5 at this time:
<http://www.informationweek.com/blog/main/archives/2005/12/firefox_why_you.html>
And finally, a succinct review (written about a late release
candidate) of some of the key new features in 1.5:
http://www.pcmag.com/article2/0,1895,1892104,00.asp
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Fri Dec 16 13:40:59 2005
This archive was generated by hypermail 2.1.8 : Fri Dec 16 2005 - 13:41:00 PST