| Firefox, Thunderbird critical updates explained |
Sep. 15, 2006
  Mozilla on Sept. 14 reissued the popular open-source Firefox Web browser, and its email counterpart, Thunderbird, with new security and stability fixes. Each of the open-source apps rolls to version 1.5.0.7.
Firefox update
Firefox 1.5.0.7 comes with fixes for half-a-dozen minor security vulnerabilities. The first of these is a patch that will prevent possible attacks from opening a previously blocked popup that was using an XSS (cross-site scripting) attack.
Perhaps the most critical of these corrects an implementation error in the RSA security signature verification. This made it possible for an attacker to make a forged signature for an altered message.
Another serious problem that has been fixed was that JavaScript could be relatively easily tricked into heap buffer overflows. This, in turn, could be exploited to run a malware program.
The new browser version also prevents malicious sites from injecting content into a sub-frame of another site. This could have the effect of making an attackers' content look like it was part of the victim site.
Several other, less important security problems were also fixed. In addition, Firefox has been made more stable.
On Linux, Firefox now follows GTK widget library's setting for textbox keybindings. With these bindings, which are often called Emacs-bindings, pressing Ctrl+letters triggers application shortcuts instead of readline-like text-editing shortcuts.
The new Firefox will work flawlessly with most GTK/Gnome-based desktops, but there is one exception -- Fedora Core 3, because GNOME integration does not work properly.
Special Fedora Core 3 update process
Fedora Core 3 users must download and install linc-1.0.3-3.1.i386.rpm. Then, after installing it, they must run a shell, move the Firefox directory, and run the following command: touch .autoreg. After this, when Firefox is next run it should be properly integrated with GNOME.
Fedora Core 3 users will also need to follow the same procedure when they update to Thunderbird 1.5.0.7.
Thunderbird update
Speaking of Thunderbird, all but one of its security patches are identical to Firefox's fixes. The one exception is that even with JavaScript disabled in mail, an attacker can still execute JavaScript when a mail message is viewed, replied to, or forwarded by putting the script in a remote XBL (eXtensible Binding Language) file, which is then loaded by the message.
While this could happen despite JavaScript being disabled, a potential victim would have to have chosen to Load Images for the XBL/JavaScript trick to work. This attack would not be able to directly attack a system, but it could be used to change a message being viewed or enable an attacker to "spy" on the response to a message.
Patch availability
While there have been no reports of any of these patched holes being used in real-world exploits, Firefox and Thunderbird users should upgrade their programs as soon as possible. The Thunderbird patch can be found on the Mozilla Thunderbird website and the new Firefox can be downloaded from the Mozilla Firefox website.
Finally, there are also new security updates for the Mozilla-based Mac OS X Camino web browser and the SeaMonkey web browser/email Internet suite.
-- Steven J. Vaughan-Nichols
Related Stories:
(Click here for further information)
|
|
|
|
|
|
|
|
