LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Mozilla Firefox Vulns (http://www.linuxquestions.org/questions/linux-security-4/mozilla-firefox-vulns-410911/)

win32sux 02-02-2006 11:36 AM

Mozilla Firefox Vulns
 
This thread serves as a discussion place for any current security vulnerabilities in Mozilla Firefox. LQ members are encouraged to subscribe to this thread in order to stay informed about the latest Mozilla Firefox security fixes and workarounds. If this is your first time stopping by this thread, get the latest info by jumping to the last page.

Ygrex 02-03-2006 05:52 AM

Thank you, updating right now.

win32sux 02-09-2006 02:42 PM

Just an update to let everyone know that an exploit for CVE-2006-0295 has been made public.

Quote:

H D Moore of the Metasploit Project published a working exploit on milw0rm for the Linux and Mac OS X versions of Firefox 1.5. Severity upgraded to critical.
http://www.mozilla.org/security/anno...sa2006-04.html

This vulnerability is fixed in firefox 1.5.0.1, so upgrade today!!!

w8qh 02-24-2006 02:08 PM

Foxfire update
 
Thank You I to will be upgrading very soon

Robhogg 03-01-2006 09:30 AM

I've downloaded the new version, and extracted the tar archive. However, the installation instructions on the site were sparse, to say the least:

Quote:

Linux/GTK2

Extract the tarball in the directory where you want to install Firefox:

tar -xzvf firefox-1.5.0.1.tar.gz

This will create a firefox subdirectory of that directory
Doing just this, the firefox command still opens the old version, and the new version will open only if I specify the full path.

Entering which firefox points to /usr/bin/firefox, which is a symlink to the old firefox file. Should I just change this to point to the new version, or is there something more clever that I should do?

Rob

microsoft/linux 03-01-2006 09:56 AM

I had this same problem when I was trying to update from 1.0.7. I ended up waiting for debian to get a 1.5.0 version. Anyone know about the status of that?

win32sux 03-01-2006 10:46 AM

Quote:

Originally Posted by Robhogg
I've downloaded the new version, and extracted the tar archive. However, the installation instructions on the site were sparse, to say the least:

Doing just this, the firefox command still opens the old version, and the new version will open only if I specify the full path.

Entering which firefox points to /usr/bin/firefox, which is a symlink to the old firefox file. Should I just change this to point to the new version, or is there something more clever that I should do?

IIRC, the tarball comes with an installer, so you'd have to execute the installer, instead of just untarring and running... try it as a non-root user first until you're sure you have it right... and yes, you'd have to specify the full path to the firefox binary until you replace your old one or adjust the symlink...

BTW, i recommend that you use a binary package from your distro instead...

Quote:

Originally Posted by microsoft/linux
I had this same problem when I was trying to update from 1.0.7. I ended up waiting for debian to get a 1.5.0 version. Anyone know about the status of that?

i seriously doubt the stable branch will be getting 1.5 as it would go against the stability philosophy, but you can get 1.5 from the unstable branch: http://packages.debian.org/unstable/web/mozilla-firefox

microsoft/linux 03-01-2006 03:15 PM

yeah, I'm running testing, and I got 1.5 from unstable. I looked, and it looks like unstable's got 1.5.0.1(if that's the right version), so I'll upgrade from there.

Robhogg 03-01-2006 03:30 PM

Quote:

Originally Posted by win32sux
IIRC, the tarball comes with an installer, so you'd have to execute the installer, instead of just untarring and running... try it as a non-root user first until you're sure you have it right... and yes, you'd have to specify the full path to the firefox binary until you replace your old one or adjust the symlink...

I couldn't find an installer. There were a couple of other likely-looking files in the directory, but I couldn't get either to run (and like I said, the mozilla website was being less than helpful). In the end, I moved the folder to /opt (alongside the old installation), and recreated the link.

I then found that, although my bookmarks and cookies had been copied over, my plugins were missing. In the end, after searching for a way of setting these in the browser (and getting nowhere), I simply copied the plugins from the folder in /usr/lib /browser-plugins over to firefox's /plugins sub-folder and it worked. I can't believe it was that easy!!.

Thanks,
Rob
:)(Currently listening to Goodness Gracious Me from the BBC website):)

win32sux 04-14-2006 01:53 AM

Firefox 1.5.0.2 has been released. Aside from the usual stability fixes, there are also several security fixes included.

win32sux 04-14-2006 05:11 AM

Secunia's put out an advisory already (and it's a big one):
Quote:

Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system.
http://secunia.com/advisories/19631/

win32sux 04-18-2006 08:29 PM

there's been a non-critical security issue found in 1.5.0.2... even though the issue is non-critical, i figured it's in the thread's best interest to have it posted... here it is:
Quote:

Description:
PSPFrenzy has discovered a weakness in Firefox, which can be exploited by malicious people to bypass certain security restrictions.

Internet web sites are normally not allowed to link to local resources. It is, however, possible by a malicious web site to open local content in the browser by tricking a user into right-clicking and choosing "View Image" on a broken image, which is referencing a local resource (e.g. via the file: URI handler).

NOTE: This does not pose any direct security impact by itself, but may be exploited in combination with other vulnerabilities.

The weakness has been confirmed in version 1.5.0.2. Other versions may also be affected.

Solution:
Do not use the "View Image" functionality on untrusted web sites.
Secunia Advisory

win32sux 05-03-2006 05:42 AM

Mozilla Firefox 1.5.0.3 has been released. It addresses a denial-of-service vulnerability.

The CVE ID for the bug is:CVE-2006-1993.

win32sux 05-23-2006 11:54 PM

Firefox Exception Handling Full Path Disclosure Weakness (Not Critical)
 
Quote:

Description:
A weakness has been discovered in Firefox, which can be exploited by malicious people to disclose system information.

The weakness is caused due to file path information being included in certain exceptions being thrown by the browser. This can e.g. be exploited to disclose the full installation path by calling the "window.sidebar.addSearchEngine()" JavaScript function with invalid parameters.

This may reportedly also be exploited to disclose the full path to the user's profile via errors thrown in installed extensions.

The weakness has been confirmed in version 1.5.0.3. Other versions may also be affected.

Solution:
Disable JavaScript support.
Secunia Advisory

craigevil 05-24-2006 12:52 AM

The NoScript extension "should" take care of the JS vulnerability, unless it is a trusted site. :)


All times are GMT -5. The time now is 08:04 PM.