LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-02-2006, 11:36 AM   #1
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Mozilla Firefox Vulns


This thread serves as a discussion place for any current security vulnerabilities in Mozilla Firefox. LQ members are encouraged to subscribe to this thread in order to stay informed about the latest Mozilla Firefox security fixes and workarounds. If this is your first time stopping by this thread, get the latest info by jumping to the last page.

Last edited by win32sux; 08-11-2007 at 05:00 PM.
 
Old 02-03-2006, 05:52 AM   #2
Ygrex
Member
 
Registered: Nov 2004
Location: Russia (St.Petersburg)
Distribution: Debian
Posts: 666

Rep: Reputation: 68
Thank you, updating right now.
 
Old 02-09-2006, 02:42 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Just an update to let everyone know that an exploit for CVE-2006-0295 has been made public.

Quote:
H D Moore of the Metasploit Project published a working exploit on milw0rm for the Linux and Mac OS X versions of Firefox 1.5. Severity upgraded to critical.
http://www.mozilla.org/security/anno...sa2006-04.html

This vulnerability is fixed in firefox 1.5.0.1, so upgrade today!!!

Last edited by win32sux; 02-11-2006 at 06:21 PM.
 
Old 02-24-2006, 02:08 PM   #4
w8qh
LQ Newbie
 
Registered: Feb 2006
Location: Ohio
Distribution: Mephis 3.3
Posts: 2

Rep: Reputation: 0
Foxfire update

Thank You I to will be upgrading very soon
 
Old 03-01-2006, 09:30 AM   #5
Robhogg
Member
 
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653

Rep: Reputation: 97
I've downloaded the new version, and extracted the tar archive. However, the installation instructions on the site were sparse, to say the least:

Quote:
Linux/GTK2

Extract the tarball in the directory where you want to install Firefox:

tar -xzvf firefox-1.5.0.1.tar.gz

This will create a firefox subdirectory of that directory
Doing just this, the firefox command still opens the old version, and the new version will open only if I specify the full path.

Entering which firefox points to /usr/bin/firefox, which is a symlink to the old firefox file. Should I just change this to point to the new version, or is there something more clever that I should do?

Rob
 
Old 03-01-2006, 09:56 AM   #6
microsoft/linux
Senior Member
 
Registered: May 2004
Location: Sebec, ME, USA
Distribution: Debian Etch, Windows XP Home, FreeBSD
Posts: 1,445
Blog Entries: 9

Rep: Reputation: 48
I had this same problem when I was trying to update from 1.0.7. I ended up waiting for debian to get a 1.5.0 version. Anyone know about the status of that?
 
Old 03-01-2006, 10:46 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Robhogg
I've downloaded the new version, and extracted the tar archive. However, the installation instructions on the site were sparse, to say the least:

Doing just this, the firefox command still opens the old version, and the new version will open only if I specify the full path.

Entering which firefox points to /usr/bin/firefox, which is a symlink to the old firefox file. Should I just change this to point to the new version, or is there something more clever that I should do?
IIRC, the tarball comes with an installer, so you'd have to execute the installer, instead of just untarring and running... try it as a non-root user first until you're sure you have it right... and yes, you'd have to specify the full path to the firefox binary until you replace your old one or adjust the symlink...

BTW, i recommend that you use a binary package from your distro instead...

Quote:
Originally Posted by microsoft/linux
I had this same problem when I was trying to update from 1.0.7. I ended up waiting for debian to get a 1.5.0 version. Anyone know about the status of that?
i seriously doubt the stable branch will be getting 1.5 as it would go against the stability philosophy, but you can get 1.5 from the unstable branch: http://packages.debian.org/unstable/web/mozilla-firefox
 
Old 03-01-2006, 03:15 PM   #8
microsoft/linux
Senior Member
 
Registered: May 2004
Location: Sebec, ME, USA
Distribution: Debian Etch, Windows XP Home, FreeBSD
Posts: 1,445
Blog Entries: 9

Rep: Reputation: 48
yeah, I'm running testing, and I got 1.5 from unstable. I looked, and it looks like unstable's got 1.5.0.1(if that's the right version), so I'll upgrade from there.
 
Old 03-01-2006, 03:30 PM   #9
Robhogg
Member
 
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653

Rep: Reputation: 97
Quote:
Originally Posted by win32sux
IIRC, the tarball comes with an installer, so you'd have to execute the installer, instead of just untarring and running... try it as a non-root user first until you're sure you have it right... and yes, you'd have to specify the full path to the firefox binary until you replace your old one or adjust the symlink...
I couldn't find an installer. There were a couple of other likely-looking files in the directory, but I couldn't get either to run (and like I said, the mozilla website was being less than helpful). In the end, I moved the folder to /opt (alongside the old installation), and recreated the link.

I then found that, although my bookmarks and cookies had been copied over, my plugins were missing. In the end, after searching for a way of setting these in the browser (and getting nowhere), I simply copied the plugins from the folder in /usr/lib /browser-plugins over to firefox's /plugins sub-folder and it worked. I can't believe it was that easy!!.

Thanks,
Rob
(Currently listening to Goodness Gracious Me from the BBC website)

Last edited by Robhogg; 03-01-2006 at 03:34 PM.
 
Old 04-14-2006, 01:53 AM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Firefox 1.5.0.2 has been released. Aside from the usual stability fixes, there are also several security fixes included.

Last edited by win32sux; 04-14-2006 at 05:12 AM.
 
Old 04-14-2006, 05:11 AM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Secunia's put out an advisory already (and it's a big one):
Quote:
Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system.
http://secunia.com/advisories/19631/
 
Old 04-18-2006, 08:29 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
there's been a non-critical security issue found in 1.5.0.2... even though the issue is non-critical, i figured it's in the thread's best interest to have it posted... here it is:
Quote:
Description:
PSPFrenzy has discovered a weakness in Firefox, which can be exploited by malicious people to bypass certain security restrictions.

Internet web sites are normally not allowed to link to local resources. It is, however, possible by a malicious web site to open local content in the browser by tricking a user into right-clicking and choosing "View Image" on a broken image, which is referencing a local resource (e.g. via the file: URI handler).

NOTE: This does not pose any direct security impact by itself, but may be exploited in combination with other vulnerabilities.

The weakness has been confirmed in version 1.5.0.2. Other versions may also be affected.

Solution:
Do not use the "View Image" functionality on untrusted web sites.
Secunia Advisory
 
Old 05-03-2006, 05:42 AM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Mozilla Firefox 1.5.0.3 has been released. It addresses a denial-of-service vulnerability.

The CVE ID for the bug is:CVE-2006-1993.

Last edited by win32sux; 05-03-2006 at 05:43 AM.
 
Old 05-23-2006, 11:54 PM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Firefox Exception Handling Full Path Disclosure Weakness (Not Critical)

Quote:
Description:
A weakness has been discovered in Firefox, which can be exploited by malicious people to disclose system information.

The weakness is caused due to file path information being included in certain exceptions being thrown by the browser. This can e.g. be exploited to disclose the full installation path by calling the "window.sidebar.addSearchEngine()" JavaScript function with invalid parameters.

This may reportedly also be exploited to disclose the full path to the user's profile via errors thrown in installed extensions.

The weakness has been confirmed in version 1.5.0.3. Other versions may also be affected.

Solution:
Disable JavaScript support.
Secunia Advisory
 
1 members found this post helpful.
Old 05-24-2006, 12:52 AM   #15
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid/RPIOS
Posts: 4,883
Blog Entries: 28

Rep: Reputation: 533Reputation: 533Reputation: 533Reputation: 533Reputation: 533Reputation: 533
The NoScript extension "should" take care of the JS vulnerability, unless it is a trusted site.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Mozilla Thunderbird to Find New Home as Mozilla Foundation Focuses on Mozilla Firefox LXer Syndicated Linux News 0 07-27-2007 09:16 AM
LXer: Mozilla Firefox 1.5.0.8 and Mozilla Thunderbird 1.5.0.8 Released LXer Syndicated Linux News 0 11-09-2006 05:21 PM
LXer: Mozilla Corporation Signs Mozilla Firefox Distribution Deal with RealNetworks LXer Syndicated Linux News 0 08-03-2006 03:21 PM
LXer: Mozilla Firefox and Mozilla Thunderbird 1.5.0.5 Community Test Day LXer Syndicated Linux News 0 07-14-2006 08:54 AM
Mozilla flaws could allow attacks, data access into Firefox & Mozilla web browsers! t3gah Linux - Security 6 04-09-2006 04:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration