LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-17-2007, 02:42 AM   #61
GothManiac
Member
 
Registered: Mar 2007
Posts: 45

Rep: Reputation: 15

Quote:
Originally Posted by Robhogg
I've downloaded the new version, and extracted the tar archive. However, the installation instructions on the site were sparse, to say the least:



Doing just this, the firefox command still opens the old version, and the new version will open only if I specify the full path.

Entering which firefox points to /usr/bin/firefox, which is a symlink to the old firefox file. Should I just change this to point to the new version, or is there something more clever that I should do?

Rob
For Tarballs, generally after you untar it (this just uncompresses the file) , you cd to the directory then run the installer which is generally something like this:
./configure
make
make install

Try that and see if that helps. Or check out the readme file, it should have install instructions.
 
Old 06-01-2007, 10:49 AM   #62
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation Mozilla Firefox Multiple Vulnerabilities (Highly Critical)

Quote:
Description:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system.

1) Errors in the JavaScript engine can be exploited to cause memory corruption and potentially to execute arbitrary code.

2) An error in the "addEventListener" method can be exploited to inject script into another site, circumventing the browser's same-origin policy. This could be used to access or modify sensitive information from the other site.

3) An error in the handling of XUL popups can be exploited to spoof parts of the browser such as the location bar.

Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable:
http://secunia.com/software_inspector/

Solution:
Update to version 2.0.0.4 or 1.5.0.12.
Secunia Advisory
 
Old 06-01-2007, 10:52 AM   #63
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Mozilla Firefox / Seamonkey "resource://" Information Disclosure (Not Critical)

Quote:
Description:
A security issue has been reported in Mozilla Firefox and Mozilla Seamonkey, which can be exploited by malicious people to disclose potentially sensitive information.

The security issue is caused due to the browser not properly restricting "resource://" URIs to be loaded into the JavaScript space. Combined with directory traversal due to insufficient filtering of certain character sequences, this can be exploited to disclose e.g. the default security settings.

Note: The directory traversal is fixed in Mozilla Firefox version 2.0.0.4 for Windows. However it is still possible to include files from the installation folder. Also, the directory traversal issue is not fixed for UNIX-like operating systems. Reportedly, this also introduces a new, unspecified input validation flaw.

Solution:
Visit trusted sites only.
Secunia Advisory
 
Old 06-27-2007, 10:44 PM   #64
netmanwolf
LQ Newbie
 
Registered: May 2007
Posts: 6

Rep: Reputation: 0
I believe the newest version of NoScript blocks a lot of these exploits.Not all,of course,but quite a few.I think the authors have been working with Jeremiah Grossman and RSnake to fix a lot of issues.

If you read the changelog,it now blocks even sites that were in the trusted list.JavaScript is not the only mitigation here,either.It also blocks a lot of Java and Flash.

Just my two cents worth,
Netmanwolf
 
Old 07-02-2007, 07:40 AM   #65
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Firefox "OnKeyDown" Event Focus Weakness (Not Critical)

Quote:
Description:
Carl Hardwick has discovered a weakness in Firefox, which potentially can be exploited by malicious people to disclose sensitive information.

The weakness is caused due to a design error within the focus handling of form fields and can potentially be exploited by changing the focus from a "textarea" field to a "file upload" form field via the "OnKeyDown" event.

Successful exploitation allows an arbitrary file on the user's system to be uploaded to a malicious web site, but requires that the user is tricked into typing the file name into a "textarea" input form.

The weakness is confirmed in version 2.0.0.4. Other versions may also be affected.

Solution:
Disable JavaScript support.

Do not enter file names to form fields on untrusted web sites.
Secunia Advisory
 
Old 07-10-2007, 01:47 PM   #66
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Firefox "wyciwyg://" Handler Vulnerability (Less Critical)

Quote:
Description:
Michal Zalewski has discovered a vulnerability in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information and conduct spoofing attacks.

The vulnerability is caused due to an error in the handling of the "wyciwyg://" URI handler. This can be exploited to access or spoof contents from a previously cached web site e.g. via HTTP 302 redirects when a user visits a malicious web page.

The vulnerability is confirmed in version 2.0.0.4. Other versions may also be affected.

Solution:
Do not browse untrusted web sites.
Secunia Advisory
 
Old 07-10-2007, 01:49 PM   #67
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation Firefox "firefoxurl" URI Handler Registration Vulnerability (Highly Critical)

Unlike the above vulnerability (which is exploitable on GNU/Linux), this one does not seem to directly affect GNU/Linux. However, I'm leaving it posted here in the hopes that it raises awareness about the possible dangers involved whenever you have Firefox initiated from other apps. I'm thinking stuff like Gaim/Pidgin, etc.

Quote:
Description:
A vulnerability has been discovered in Firefox, which can be exploited by malicious people to compromise a user's system.

The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.

The vulnerability is confirmed in Firefox version 2.0.0.4 on a fully patched Windows XP SP2. Other versions may also be affected.

Solution:
Do not browse untrusted sites.

Disable the "Firefox URL" URI handler.
Secunia Advisory

Last edited by win32sux; 07-10-2007 at 04:48 PM.
 
Old 07-18-2007, 08:37 PM   #68
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation Mozilla Firefox Multiple Vulnerabilities (Highly Critical)

Quote:
Description:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks and potentially to compromise a user's system.

1) Various errors in the browser engine can be exploited to cause memory corruption and potentially to execute arbitrary code.

2) Various errors in the Javascript engine can be exploited to cause memory corruption and potentially to execute arbitrary code.

3) An error in the "addEventListener" and "setTimeout" methods can be exploited to inject script into another site's context, circumventing the browser's same-origin policy.

4) An error in the cross-domain handling can be exploited to inject arbitrary HTML and script code in a sub-frame of another web site.

This is related to vulnerability #5 in:
SA21906

5) An unspecified error in the handling of elements outside of documents allows an attacker to call an event handler and execute arbitrary code with chrome privileges.

6) An unspecified error in the handling of "XPCNativeWrapper" can lead to execution of user-supplied code.

Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable:
http://secunia.com/software_inspector/

Solution:
Update to version 2.0.0.5.
Secunia Advisory
 
Old 07-20-2007, 11:46 PM   #69
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I saw this on Slashdot.org today, and thought I'd post a link here as a heads-up.
Quote:
The Mozilla developers have fixed a known hole in the password manager of Firefox & Co, but a door remains open for exploitation. If the user gives permission, the inbuilt password manager of the open-source browser saves passwords and enters data into the respective form fields on the user's next visit automatically. This happens not only on the page where the password was saved, but also on all other pages on this server that contain a similar form.
Holes in Firefox password manager
 
Old 07-31-2007, 03:57 AM   #70
antivirus
Member
 
Registered: Feb 2007
Location: Bangladesh
Distribution: Fedora Core 9
Posts: 59

Rep: Reputation: 15
Thanks for your info
 
Old 07-31-2007, 05:55 PM   #71
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Mozilla Products Addon Chrome-Loaded "about:blank" Cross-Context Scripting

Quote:
Description:
A vulnerability has been reported in Mozilla products, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error within the handling of "about:blank" pages loaded by chrome in an addon. This can be exploited to execute script code under chrome privileges by e.g. clicking on a link opened in an "about:blank" window created and populated in a certain ways by an addon.

Successful exploitation requires that certain addons are installed.

The vulnerability is reported in the following products and versions:
* Firefox 2.0.0.5
* Thunderbird 2.0.0.5
* SeaMonkey 1.1.3

Solution:
Update to the latest versions:

Firefox:
Update to version 2.0.0.6.
http://www.mozilla.com/en-US/firefox/
Secunia Advisory
 
Old 09-19-2007, 07:07 AM   #72
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Firefox "-chrome" Parameter Security Issue

Quote:
Description:
Mozilla has acknowledged a security issue in Firefox, which potentially can be exploited by malicious people to compromise a user's system.

The security issue is caused due to the "-chrome" parameter allowing execution of arbitrary Javascript script code in chrome context. This can be exploited to execute arbitrary commands on a user's system e.g. via applications invoking Firefox with unfiltered command line arguments.

[...]

Solution:
Update to version 2.0.0.7.
Secunia Advisory
 
Old 09-24-2007, 12:08 PM   #73
crashmeister
Senior Member
 
Registered: Feb 2002
Distribution: t2 - trying to anyway
Posts: 2,541

Rep: Reputation: 47
Gmail and XSS related - dunno if that was already reported but ppl. with gmail accounts should watch out.

http://hackademix.net/2007/09/24/goo...00k-customers/
 
Old 09-24-2007, 06:00 PM   #74
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by crashmeister View Post
Gmail and XSS related - dunno if that was already reported but ppl. with gmail accounts should watch out.

http://hackademix.net/2007/09/24/goo...00k-customers/
Hi crashmeister. Could you clarify whether this is a Firefox vuln or a Google vuln? I took a look at the link but didn't see anything that looked Firefox-specific. Also, considering this seems to have been posted by the NoScript developer, are we to understand that NoScript protects against it?
 
Old 09-24-2007, 06:19 PM   #75
crashmeister
Senior Member
 
Registered: Feb 2002
Distribution: t2 - trying to anyway
Posts: 2,541

Rep: Reputation: 47
It's not specific AFAIK but it definitely works - actually it's a javascript vuln. with Gmail and works like a beauty with my browser.
There seems to be a problem with picassa too.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Mozilla Thunderbird to Find New Home as Mozilla Foundation Focuses on Mozilla Firefox LXer Syndicated Linux News 0 07-27-2007 09:16 AM
LXer: Mozilla Firefox 1.5.0.8 and Mozilla Thunderbird 1.5.0.8 Released LXer Syndicated Linux News 0 11-09-2006 05:21 PM
LXer: Mozilla Corporation Signs Mozilla Firefox Distribution Deal with RealNetworks LXer Syndicated Linux News 0 08-03-2006 03:21 PM
LXer: Mozilla Firefox and Mozilla Thunderbird 1.5.0.5 Community Test Day LXer Syndicated Linux News 0 07-14-2006 08:54 AM
Mozilla flaws could allow attacks, data access into Firefox & Mozilla web browsers! t3gah Linux - Security 6 04-09-2006 04:00 AM


All times are GMT -5. The time now is 06:46 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration