Get your fresh Firefox updates (NEW)
Published: 2006-09-15,
Last Updated: 2006-09-15 00:58:19 UTC by Joel Esler (Version: 1)
My Firefox just jumped up at me and said "You have some updates".
Version 1.5.0.7 to be exact. So what's new? Well, Mozilla tells us
over here.
MFSA 2006-64 (which, by the way, stands for Mozilla Foundation Security
Advisory)
Looks like a memory corruption bug. "Crashes with evidence of memory
corruption", Mozilla says, "...we presume that at least some of these
could be exploited to run arbitrary code with enough effort." So, lets
hope not.
MFSA 2006-62 -- Popup-blocker cross-site scripting (XSS)
More XSS stuff, except this time against the Popup-blocker feature.
Mozilla doesn't really view this as a big threat: "The malicious page
would first have to get itself framed by the target page, attempt to
open a popup, and then convince the user that the popup contents were so
important or interesting that it must be opened manually."
MFSA 2006-60 -- RSA Signature Forgery
Looks like Philip Mackenzie and Marius Schilder over at Google found
this one.
"Because the set of root Certificate Authorities that ship with Mozilla
clients contain some with an exponent of 3 it was possible to make up
certificates, such as SSL/TLS and email certificates, that were not
detected as invalid. This raised the possibility of the sort of
Man-in-the-Middle attacks SSL/TLS was invented to prevent."
Good, I read about this one not too long ago on a couple mailing lists
that I lurk on.
MFSA 2006-59 -- Concurrency-related vulnerability
Mozilla has this to say: "We have seen no demonstration that these
crashes could be reliably exploited, but they do show evidence of memory
corruption so we presume they could be."
MFSA 2006-58 -- Auto-Update compromise through DNS and SSL spoofing
DNS and SSL spoofing vulnerability. Mozilla does offer some good advice
on this one:
"Do not accept unverifiable (often self-signed) certificates as valid.
If you must, accept them for the session only, never permanently." Rule
of thumb.
MFSA 2006-57 -- JavaScript Regular Expression Heap Corruption
"...a regular expression that ends with a backslash inside an
unterminated character set (e.g. "[\\") will cause the regular epression
engine to read beyond the end of the buffer, possibly leading to a
crash."
... and since Thunderbird uses the same browser engine as Firefox, you
need to update it too!
Thunderbird update can be found here.
Firefoxes update can be found here.
OR!!! (and better IMO), you can click on Help (in the title bar), and
click on "Check for Updates...", and the program will update itself.
(At least that's where it is on my Mac)
Happy updating!
