gHacks technology news » firefox vulnerability

Another Critical Firefox Vulnerability Emerges

Martin — Sun, 19 Jul 2009 11:49:10 +0000

It has been only a few days ago that the Mozilla Firefox team released an update for Firefox 3.5 to Firefox 3.5.1 that would close a recently disclosed critical security vulnerability that allowed attackers to execute arbitrary code on the attacked computer system. Earlier today another Firefox vulnerability was disclosed to the public that affects the latest version of Firefox. The vulnerability can be remotely exploited and uses an stack based buffer overflow that is triggered by an overly long string of Unicode data. It can lead to remote code execution or to crashes, freezes or the allocation of a lot of computer memory.

A proof of concept has already been created that demonstrates the vulnerability. No patch has been made available yet. Firefox users are encouraged to disable JavaScript until a patch is issued to avoid leaving their computer system vulnerable for the attack.

Users working with security add-ons like NoScript might consider their Firefox installation safe without disabling JavaScript. It is however theoretically possible to compromise websites that are in the whitelist of the add-on (if the whitelist is used) which would make the system vulnerable to this kind of attack.

JavaScript can be disabled in the Firefox options in the content tab.

Tags: firefox 3.5, firefox security, firefox vulnerability, javascript, mozilla-firefox, web browser

Firefox 3.5.1 Update Available

Martin — Thu, 16 Jul 2009 16:56:15 +0000

A recently disclosed vulnerability in the Firefox 3.5 web browser forced the Mozilla Firefox development team to release version 3.5.1 of the web browser early to fix the vulnerability. The vulnerability, which is affecting all operating systems that Firefox can be installed on, is linked to the Firefox JavaScript Tracemonkey engine. A temporary fix was published soon after that would disable part of the Javascript engine.

The Mozilla Firefox team is currently distributing the Firefox 3.5.1 update to all mirror websites. It is expected to be announced publicly in the next 48 hours giving Firefox 3.5 users a change to update their web browser to fix the security vulnerability.

The release is not available on any of the popular download portals yet. We took the liberty to upload the US version of Firefox 3.5.1 for the Windows operating to a free file host from where it can be downloaded. Users who use a different operating system or language will have to wait a while longer before they can download and update their version of Firefox.

The big download portals are expected to offer Firefox 3.5.1 soon as a download on their website. Cautious users might want to wait until the new version has been announced officially by the Firefox team. Users who have applied the temporary workaround to Firefox 3.5 should undo the changes by doing the following:

Type in about:config in the Firefox address bar and hit enter. Now filter for the term javascript.options.jit.content and double-click it afterwards to set it to true which enables the Tracemonkey JavaScript engine.

Firefox 3.5.1 US for Windows can be downloaded from Mediafire.

Tags: firefox 3.5, firefox security, firefox vulnerability, firefox-update, web browser

Critical Security Vulnerability In Firefox 3.5

Martin — Wed, 15 Jul 2009 12:01:02 +0000

A critical security vulnerability affecting Firefox 3.5 has been discovered and published on the security portal Milw0rm entitled Firefox 3.5 Heap Spray Vulnerability. A proof of concept exploit has been provided. In short, the vulnerability can lead to remote code execution. The good news is that a security patch has already been published by Mozilla Links.

The security vulnerability can be fixed the following way. Type in about:config in the Firefox address bar and hit enter. Now filter for the term javascript.options.jit.content and double-click it afterwards to set it to false which disables the Tracemonkey JavaScript engine. This in turn could (and most likely will) reduce the JavaScript performance of the Firefox 3.5 web browser until an official security patch is provided by the Mozilla Firefox team.

The security patch is expected to be released soon by the Firefox development team. Stay tuned, we keep you updated.

Tags: firefox, firefox exploit, firefox patch, firefox vulnerability, mozilla-firefox, security patch, web browser

Web Browser: Firefox 3.0.8

Martin — Fri, 27 Mar 2009 15:25:28 +0000

The Mozilla Firefox development team had to react quickly after a working vulnerability was discovered affecting all the latest versions of the Firefox web browser. (read Latest Firefox Web Browser Vulnerable to 0-Day Exploit). After news about the vulnerability spread like wildfire on the Internet a first official statement was released that was suggesting an early release of Firefox 3.0.8 on March 30, 2009. Many users felt that the Mozilla team should release the new version earlier than that after fixes for the vulnerabilities had been confirmed to close the security hole for every Firefox user.

The good news is that Firefox 3.0.8 has already been uploaded to the official Mozilla ftp site. It can be downloaded from there by everyone. The problem is that some users and the Mozilla team discouraged users to post links to those new releases to avoid disturbing the mirror distribution process and to avoid complications if that release will receive a last minute fix.

That’s a catch-22 situation as you can imagine. Interested users should perform a search for the Mozilla ftp site on Google or another search engine to locate it. They will find a Firefox directory there and another subdirectory called 3.0.8 which contains downloads for all languages and operating systems supported.

If you want to be safe download it right away. If you want to wait for the official announcement install and use the No Script add-on to increase Firefox security and avoid falling prey to the vulnerability.

Tags: firefox, firefox 3, firefox vulnerability, firefox-update, mozilla-firefox, web browser

Latest Firefox Web Browser Vulnerable to 0-Day Exploit

Martin — Thu, 26 Mar 2009 14:32:58 +0000

Dante send me a tip about a 0-day exploit that is affecting the latest versions of the popular Firefox web browser. The exploit is described as a remote memory-corruption vulnerability that is affecting Firefox running on all supported operating systems. A proof of concept has been published by the security researcher and the Mozilla team has acknowledged the existence and announced plans to rush a Firefox 3.0.8 update at the beginning of next week.

The Firefox exploit could be used to add software to the target system without the knowledge of the users. There is currently no solution to block this attack from being executed other than being very careful about the visited websites. The safest would be to switch to another web browser at least for the time until the Mozilla developers have published the update that fixes the vulnerability in the web browser or a hot fix becomes known.

The issue has already been fixed according to the bug report that was filed at the Mozilla website and is now awaiting verification.

Tags: firefox, firefox 3, firefox bu, firefox exploit, firefox security, firefox vulnerability, mozilla-firefox, web browser

Firefox 3.0.1 released

Martin — Thu, 17 Jul 2008 06:16:38 +0000

Shortly after releasing version Firefox 2.0.0.16 the Firefox development team released another update this time for Firefox 3. The update fixes three security updates that have a critical rating making this a security update. It is recommended to update Firefox 3 as soon as possible to close the security holes.

Two of my add-ons stopped working and I had to manually edit them so that they I could continue using them. Two of the three vulnerabilities have been the same that were fixed in Firefox 2 while one is a Gif rendering vulnerability on Mac OS X that could crash the browser.

The other two just for those who have not read the update post are a remote code execution vulnerability and the launching of multiple tabs when Firefox is not running.

Besides that several other updates have been made, most notably several stability and bug fixes. For a complete list of changes check the release notes. The download is available at the official Mozilla Firefox 3 website. Automatic Updates have been kicking in as well.

Tags: firefox, firefox 3, firefox vulnerability, firefox-update, mozilla

Firefox 2.0.0.16 Security Update

Martin — Wed, 16 Jul 2008 09:03:20 +0000

Man the Firefox development team is releasing new Firefox 2 versions like crazy. Firefox 2.0.0.16 is the latest Firefox 2 release and a recommended update for everyone that is still running version 2 of the popular browser.

The update is a security update that fixes two critical security vulnerabilities that allow remote code execution and the opening of multiple tabs if Firefox is not running. Take a look at the Mozilla Foundation Security Advisory articles here and here if you want to read up on the vulnerabilities.

The latest version of Firefox can be downloaded right from the Mozilla website which includes versions for all supported operating systems and languages. Automatic upgrades will be available in the next 24-48 hours as well.

Tags: firefox, firefox 2, firefox security, firefox vulnerability, firefox-update

gHacks technology news » firefox vulnerability

Another Critical Firefox Vulnerability Emerges

Related posts

Firefox 3.5.1 Update Available

Related posts

Critical Security Vulnerability In Firefox 3.5

Related posts

Web Browser: Firefox 3.0.8

Related posts

Latest Firefox Web Browser Vulnerable to 0-Day Exploit

Related posts

Firefox 3.0.1 released

Related posts

Firefox 2.0.0.16 Security Update

Related posts