Aug242009

Thunderbird Version 2.0.0.23 released

Published by hirantha at 9:01 AM under Mozilla | Thunderbird | Open Source

A new version of Thunderbird, version 2.0.0.23, is available.  Thus update fixes MFSA 2009-42 (Compromise of SSL-protected communication).

If you are a Thunderbird user, it is probably best to apply this update as soon as convenient.

Note that, It appears this update, which affects multiple Mozilla products, has changed the rules for security certificates generated with wildcards. More information is available at the Fourmilab Blog.



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: , ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Jul162009

Firefox 3.5 new exploit

Published by hirantha at 10:26 AM under Firefox | Mozilla | Security

The Mozilla security blog confirms an exploit against an unpatched vulnerability Firefox 3.5 exists and has been made public.

Do note that Heisse tried to confirm the vulnerability and only managed a crash on Vista and can't seem to make it work on Windows 7 RC1
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761

The mozilla blog above has a workaround by temporary disabling the javascript.options.jit.content setting in about:config

Alternatively one could install and use NoSCript to disable all javascript by default.



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: , ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Mar272009

Firefox and Seamonkey Vulnerabilities

Published by hirantha at 10:49 PM under Security | Mozilla | Firefox

Technorati Tags: ,,

In addition to the "pwn2own" vulnerability used at CanSecWest last week in order to compromise a system with the Firefox web browser, a new vulnerability has been published which involves XSL Transforms.  This vulnerability impacts both the latest Firefox 3.0.7 and Seamonkey 1.1.15 browsers.

Mozilla is working on updates for both packages and they expect the updated versions to be released by April 1

A proof-of-concept exploit for the XSL Transform vulnerability has been released.  If the attack succeeds, arbitrary code can be run in the context of the browser.  If the attack fails, a DoS condition is likely for the browser.

For more information about the XSL Transform issue, see:

BugTraq
Secunia Advisory
VUPEN Advisory
Bugzilla Entry
Mozilla Security Blog



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: , ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses