Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Actually that stuff is quite interesting, and something that hadn't occurred to me before reading the article and some related articles. Thanks for posting about it.
Mozilla Firefox 3.6.4 release on May 4, second test version on April 27
Quote:
Mozilla has just put online a first beta of Firefox 3.6.4. which includes a mechanism for isolation plugins. The Mozilla browser strengthens its stability.
Firefox 3.6.4 provides an insulation function of grafts. In the event of a crash of a plug-in, web browser will continue to operate. Functionality already found in third-party products, such as Internet Explorer and Chrome. Caution, however, because only Flash, QuickTime and Silverlight will benefit from this technology. The other grafts continue to function as usual.
Developers have the opportunity to correct also almost 170 bugs, which will improve the stability of the browser and address various security issues.
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61
Rep:
Well, IE is targeted by this same problem now (remote code execution) Many are adopting Firefox (3.6.3) over it. I, preferring beta products (someone has to try them out & use them) have 3.6.4. This issue appears as though it will never stop, so everyone, stay on your toes. FF with No Script, along with safe computing practices, will help to minimize any damage that these people who are responsible for this are trying to do. People are nuts these days, a couple of days ago, someone joined our forum and posted a command to "increase speed & performance". Turns out that one of the moderators caught on quickly, entering this command & pressing "enter" would destroy the entire Windows files & subfolders. It is sickening to think that someone would post this command on an open forum that's here to help others. I'm staying alert as possible on this issue that the OP brought up, and making efforts to educate others, too. Best wishes to all!
Last edited by catilley1092; 05-10-2010 at 09:49 AM.
Reason: added information
Mozilla Firefox Error Handling Information Disclosure Vulnerability
Quote:
Soroush Dalili has discovered a vulnerability in Mozilla Firefox, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to the "window.onerror" handler being allowed to read the destination URL of a redirection. This can be exploited to e.g. disclose session-specific query parameters contained in a target URL by referencing a redirecting site via an HTML "<script>" tag.
The vulnerability is confirmed in version 3.6.3 and 3.5.9. Other versions may also be affected.
Mozilla Firefox Address Bar Spoofing Vulnerability
Quote:
Michal Zalewski has discovered a vulnerability in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks.
The vulnerability is caused due to the address bar of a newly opened window displaying the URL of the requested location before the page is loaded. This can be exploited to display arbitrary content in the blank document while showing the URL of a trusted web site in the address bar, e.g. by calling "window.stop()" to abort loading the new page.
The vulnerability is confirmed in version 3.6.4. Other versions may also be affected.
Refresh of the Mozilla Security Bug Bounty Program
Quote:
Mozilla launched its security bounty program in 2004 and while the original mission of protecting users by supporting security research has not changed, the security environment has changed tremendously. In recognition of these changes we are updating our security bounty program to better support constructive security research.
For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug.
The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.
In a talk scheduled for next week's Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.
Triggering the input from JavaScript as described in the above article is interesting and something I hadn't considered, but even without the JavaScript angle, those features screamed "BAD IDEA" at me so loudly from the very first that it even penetrated my tin-foil hat. Turning off form input auto-complete, and password saving features is one of the first things I do after installing a browser.
The remote code execution issues in Firefox are much more worrying though. If they can find this many to fix in a single patch, it makes me wonder just how many others are lurking in there.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.