| Firefox, Thunderbird critical updates explained |
Sep. 15, 2006
  Mozilla on Sept. 14 reissued the popular open-source Firefox Web browser, and its email counterpart, Thunderbird, with new security and stability fixes. Each of the open-source apps rolls to version 1.5.0.7.
Firefox update
Firefox 1.5.0.7 comes with fixes for half-a-dozen minor security vulnerabilities. The first of these is a patch that will prevent possible attacks from opening a previously blocked popup that was using an XSS (cross-site scripting) attack.
Perhaps the most critical of these corrects an implementation error in the RSA security signature verification. This made it possible for an attacker to make a forged signature for an altered message.
Another serious problem that has been fixed was that JavaScript could be relatively easily tricked into heap buffer overflows. This, in turn, could be exploited to run a malware program.
The new browser version also prevents malicious sites from injecting content into a sub-frame of another site. This could have the effect of making an attackers' content look like it was part of the victim site.
Several other, less important security problems were also fixed. In addition, Firefox has been made more stable.
On Linux, Firefox now follows GTK widget library's setting for textbox keybindings. With these bindings, which are often called Emacs-bindings, pressing Ctrl+letters triggers application shortcuts instead of readline-like text-editing shortcuts.
The new Firefox will work flawlessly with most GTK/Gnome-based desktops, but there is one exception -- Fedora Core 3, because GNOME integration does not work properly.
Special Fedora Core 3 update process
Fedora Core 3 users must download and install linc-1.0.3-3.1.i386.rpm. Then, after installing it, they must run a shell, move the Firefox directory, and run the following command: touch .autoreg. After this, when Firefox is next run it should be properly integrated with GNOME.
Fedora Core 3 users will also need to follow the same procedure when they update to Thunderbird 1.5.0.7.
Thunderbird update
Speaking of Thunderbird, all but one of its security patches are identical to Firefox's fixes. The one exception is that even with JavaScript disabled in mail, an attacker can still execute JavaScript when a mail message is viewed, replied to, or forwarded by putting the script in a remote XBL (eXtensible Binding Language) file, which is then loaded by the message.
While this could happen despite JavaScript being disabled, a potential victim would have to have chosen to Load Images for the XBL/JavaScript trick to work. This attack would not be able to directly attack a system, but it could be used to change a message being viewed or enable an attacker to "spy" on the response to a message.
Patch availability
While there have been no reports of any of these patched holes being used in real-world exploits, Firefox and Thunderbird users should upgrade their programs as soon as possible. The Thunderbird patch can be found on the Mozilla Thunderbird website and the new Firefox can be downloaded from the Mozilla Firefox website.
Finally, there are also new security updates for the Mozilla-based Mac OS X Camino web browser and the SeaMonkey web browser/email Internet suite.
-- Steven J. Vaughan-Nichols
Related stories:
(Click here for further information)
|
|
|
7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.
4 Legal Reasons to Control Internet Access
The Internet is obviously a valuable resource for many organizations. However, many are exposed to legal liability concerns because they fail to control Internet access. Learn if you're safe in this white paper.
Rapidly Resolve J2EE Application Problems
Whether you are in the process of building J2EE applications or have J2EE applications already running in production, you must ensure that they deliver the expected ROI. Learn how in this white paper.
Load Testing 2.0 for Web 2.0
There are many unknowns in stress testing Web 2.0 applications. Find out how to test the performance of Web 2.0 in this white paper.
Build Better Games Online
For the game infrastructure providers, life is complex. Making money from games has become more complicated. Why? Find out in this white paper.
Building a Virtual Infrastructure from Servers to Storage
This white paper discusses the virtual storage solutions that reduce cost, increase storage utilization, and address the challenges of backing up and restoring Server environments.
Gaining Faster Wireless Connections with WiMAX
Welcome to what is quickly becoming the hyperconnected world where anything that would benefit from being connected to the network will be connected. Learn more in this white paper.
Is Your Desktop a Security Threat?
The new wave of sophisticated crimeware not only targets specific companies, but also targets desktops and laptops as backdoor entryways into those business’ operations and resources. Learn how to stay safe in this white paper.
Increasing SAN Reliability by 100 Percent
Storage area networks (SAN) are a strong part of storage plans. Learn how to increase your reliability and uptime by 100 percent in this case study.
|
|
|
|
|
Use of this site is governed by our Terms of
Service and Privacy Policy.
Except where otherwise specified, the contents of this site are copyright © 1999-2008
Ziff Davis Enterprise Holdings Inc. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is
prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.
news feed