LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-19-2007, 04:24 PM   #76
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation Mozilla Firefox Multiple Vulnerabilities (Highly Critical)


Quote:
Some vulnerabilities and a weakness have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, conduct phishing attacks, manipulate certain data, and potentially compromise a user's system.
Secunia Advisory
 
Old 11-09-2007, 06:36 PM   #77
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
"jar:" Protocol Handling Cross-Site Scripting Security Issue (Less Critical)

Quote:
Description:
A security issue has been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks.

The problem is that the "jar:" protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive. This can be exploited to conduct cross-site scripting attacks on sites that allow a user to upload certain files (e.g. .zip, .png, .doc, .odt, .txt).

Solution:
Do not follow untrusted "jar:" links or browse untrusted websites.
Secunia Advisory
 
Old 11-27-2007, 07:18 AM   #78
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Mozilla Firefox Multiple Vulnerabilities (Moderately Critical)

Quote:
Description:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site request forgery attacks and potentially to compromise a user's system.

1) A race condition when setting the "window.location" property can be exploited to generate a fake HTTP Referer header, which can be used to conduct cross-site request forgery attacks.

2) Some unspecified errors can be exploited to cause memory corruption and potentially allow execution of arbitrary code.

The vulnerabilities are reported in versions prior to 2.0.0.10.

Solution:
Update to version 2.0.0.10.
Secunia Advisory | CVE-2007-5959 | CVE-2007-5960
 
Old 12-04-2007, 12:05 PM   #79
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Firefox Charset Inheritance Cross-Site Scripting Security Issue

Quote:
Description:
Paul Szabo has discovered a security issue in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks.

The security issue is caused due to embedded iframes inheriting the charset of parent frames when the charset is set manually. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of certain sites that are included via iframes in a malicious page.

Successful exploitation requires that the target user is tricked into changing the charset of the parent page e.g. to UTF-7.

The security issue is confirmed in Firefox 2.0.0.11. Other versions may also be affected.

Solution:
Do not change the character encoding manually. Do not browse untrusted sites.
Secunia Advisory
 
Old 01-04-2008, 04:45 PM   #80
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Firefox Hit With Spoofing Bug

Quote:
A serious flaw in how Firefox handles log-ons could be used by identity thieves to dupe users into disclosing passwords, a noted security researcher said Wednesday.

Aviv Raff, an Israeli researcher best known for ferreting out browser flaws, revealed the Firefox spoofing vulnerability on his personal blog, and posted a demonstration video there. He did not go public with any proof-of-concept code or working exploit, however.

According to Raff, Firefox 2.0.0.11 -- Mozilla Corp.'s most current version -- fails to sanitize single quotation marks and spaces in what's called the "Realm" value of an authentication header. "This makes it possible for an attacker to create a specially crafted Realm value which will look as if the authentication dialog came from a trusted site," said Raff.
Full Article

Last edited by win32sux; 01-04-2008 at 04:46 PM.
 
Old 01-24-2008, 12:23 PM   #81
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Mozilla Firefox "chrome:" Directory Traversal Security Issue

Quote:
Gerry Eisenhaur has discovered a security issue in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to an error within the handling of "chrome:" URIs. This can be exploited to include arbitrary scripts from local resources via directory traversal attacks.
Secunia Advisory

Last edited by win32sux; 01-24-2008 at 12:45 PM.
 
Old 02-02-2008, 06:10 PM   #82
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Mozilla has elevated the severity rating of the above vulnerability to high.
 
Old 02-08-2008, 06:38 AM   #83
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Firefox 2.0.0.12 is out, and it fixes a a bunch of vulnerabilities.
 
Old 03-26-2008, 12:40 PM   #84
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation Mozilla Firefox Multiple Vulnerabilities

A new set of highly critical vulnerabilities have been found/fixed in Firefox.

Please upgrade to version 2.0.0.13 ASAP.
Quote:
Some vulnerabilities and weaknesses have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, conduct cross-site scripting and phishing attacks, and potentially compromise a user's system.
For detailed info please see the Secunia Advisory.

Last edited by win32sux; 03-26-2008 at 12:54 PM.
 
Old 04-12-2008, 09:23 PM   #85
Doctorzongo
Member
 
Registered: Mar 2008
Distribution: Fedora 11
Posts: 72

Rep: Reputation: 15
A very nice tool for FireFox Security is NoScript. It is available in the add-ons page.

NOTE: It may cause some problems with sites such as LinuxQuestions or YouTube ... You must give these sites privileges ... to watch videos, you often have to enable other sites (For YouTube, for example, you need to allow YouTube and ytimg.)
 
Old 04-17-2008, 07:52 PM   #86
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation Mozilla Firefox Javascript Garbage Collector Vulnerability

Quote:
Description:
A vulnerability has been reported in Mozilla Firefox, which can potentially be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the Javascript Garbage Collector and can be exploited to cause a memory corruption via specially crafted Javascript code.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 2.0.0.13. Prior versions may also be affected.

Solution:
Update to version 2.0.0.14.
http://www.mozilla.com/en-US/firefox/
Secunia Advisory
 
Old 04-28-2008, 07:27 PM   #87
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Lightbulb Firekeeper for Firefox

Hello everyone! Just thought I'd chime-in and point you to a thread started by our friend unixfool. In it, he introduces us to Firekeeper, an IDS/IPS extension for Firefox. I haven't tried it yet, but it looks really promising and might be a great way for some of us to increase the security of our Firefoxes. If you wish to discuss Firekeeper, please use unixfool's thread.
 
Old 05-21-2008, 04:05 PM   #88
BallsOfSteel
Member
 
Registered: Mar 2008
Location: Florida
Distribution: Fedora mainly, but I am open to others.
Posts: 273

Rep: Reputation: 33
Since you (win32sux) seem to be the only one posting vulnerabilities/fixes, I'd like to take the chance to say thanks and that it's appreciated.

Regards,

Brandon
 
Old 06-10-2008, 03:32 AM   #89
centralb
LQ Newbie
 
Registered: Jan 2007
Distribution: Redhat, Debian, "Custom"
Posts: 27

Rep: Reputation: 15
"Seconded"

Thanks

Quote:
Originally Posted by BallsOfSteel View Post
Since you (win32sux) seem to be the only one posting vulnerabilities/fixes, I'd like to take the chance to say thanks and that it's appreciated.

Regards,

Brandon
 
Old 06-17-2008, 08:40 AM   #90
ceantuco
Member
 
Registered: Mar 2008
Location: New Jersey
Distribution: CentOS, Debian, Mint, Backtrack, OpenSuse
Posts: 560

Rep: Reputation: 36
Thanks Win32sux!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Mozilla Thunderbird to Find New Home as Mozilla Foundation Focuses on Mozilla Firefox LXer Syndicated Linux News 0 07-27-2007 09:16 AM
LXer: Mozilla Firefox 1.5.0.8 and Mozilla Thunderbird 1.5.0.8 Released LXer Syndicated Linux News 0 11-09-2006 05:21 PM
LXer: Mozilla Corporation Signs Mozilla Firefox Distribution Deal with RealNetworks LXer Syndicated Linux News 0 08-03-2006 03:21 PM
LXer: Mozilla Firefox and Mozilla Thunderbird 1.5.0.5 Community Test Day LXer Syndicated Linux News 0 07-14-2006 08:54 AM
Mozilla flaws could allow attacks, data access into Firefox & Mozilla web browsers! t3gah Linux - Security 6 04-09-2006 04:00 AM


All times are GMT -5. The time now is 12:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration