|
28 Feb 07 - 10:40 AM (#1981814) Subject: Tech: Firefox Alert From: JohnInKansas Users of recent Firefox versions may have received notices, but those still using older versions may have missed out: [From eWeek] New Firefox Updates Eliminate Major Security Flaw February 23, 2007 By Chris Preimesberger Mozilla on Feb. 23 released updated versions of the Firefox browser, v1.5.0.10 and v2.0.0.2, for Windows, Mac and Linux, which include the fix for a major security flaw. The "location.hostname" vulnerability potentially allowed hackers to tamper with authentication cookies for third-party sites, manipulating how Web sites are displayed and how they operate, Mozilla said. "We strongly recommend that all Firefox users upgrade to this latest release," said Mike Schroepfer, vice president of engineering for Mozilla, in Mountain View, Calif. "This update resolves the location.hostname vulnerability, and other security and stability issues. Thanks to the work of our contributors, we have been able to address these issues quickly in order to minimize the security risk to Firefox users." The updates are available immediately in 37 languages, including French, German, Spanish, Italian and Japanese. Other security fixes in the new versions, according to Schroepfer, include improvements to help protect against cross-site scripting attacks; an adjustment of Mozilla Network Security Services SSLv2 to stop buffer overflow; the fixing of XSS and local file access by opening blocked popups; the elimination of spoofing using custom cursor and CSS3 hotspot; and the elimination of information disclosure through cache collisions. For details on which flaws were fixed in this release, click here. Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007; however, all users are encouraged to upgrade to Firefox 2, Schroepfer said. Users who already have Firefox 1.5.0.x or Firefox 2.0.0.x will receive an automated update notification within 24 to 48 hours, Schroepfer said. This update can also be applied manually by selecting "Check for Updates" from the Help menu starting later in the day on Feb. 23, Schroepfer said. The new Firefox v2.0.0.2 update can be obtained here. Firefox v1.5.0.10 is available for download here. Click here to read more about the location.hostname vulnerability, and how it could be used to make a malicious site appear authentic. For "a pending issue:" Click here to read about a critical memory corruption flaw that wasn't addressed by this update. [end eWeek quotes] Some of the "other things" fixed in this release appear to be somewhat like things that have caused significant problems with "the other browser," so this should be considered a "significant upgrade." The eWeek article at the first link above offers a number of "related info" links that may be of interest; but I'll leave it for those adventurous enough to find them (it's not too hard). For those really interested, the Security Watch blog might be a good bookmark to have handy to keep an eye on things. John |
|
28 Feb 07 - 10:45 AM (#1981819) Subject: RE: Tech: Firefox Alert From: katlaughing John, I have Firefox 2.0.0.2, but don't remember getting any notification. I followed your link to the update for it, but all it was was a new download of 2.0.0.2. Is there just an update somewhere or would it be best to download the whole thing, again? Thanks! |
|
28 Feb 07 - 11:12 AM (#1981842) Subject: RE: Tech: Firefox Alert From: Geoff the Duck I'm using it right now. Quack! GtD. |
|
28 Feb 07 - 11:25 AM (#1981857) Subject: RE: Tech: Firefox Alert From: JohnInKansas Kat - The version you have is the one mentioned in the first paragraph or so of my post. The discussion I saw of which versions would get automatic updates was a little coonfoozing to me, since I don't really have a good idea of what people are using. Since v2.0.0.2 appears to have been released within the past week or so, if you have it you almost certainly were treated to an automatic update. Some have commented about prefering older versions. They should note the comment that (security) support for (some?) older ones will terminate soon. - Firefox 1.5.0.x will be maintained ... . above. John |
|
28 Feb 07 - 11:49 AM (#1981889) Subject: RE: Tech: Firefox Alert From: bobad Thanks for the heads up JinK |
|
28 Feb 07 - 11:57 AM (#1981895) Subject: RE: Tech: Firefox Alert From: nutty Yes .. thanx from me as well John |