mozilla firefox 2.0.0.5 released with fix for firefoxurl:// exploit - mozillazine talkback
mozilla firefox 2.0.0.5 released with fix for firefoxurl:// exploit - mozillazine talkback
mozilla firefox 2.0.0.5 released with fix for firefoxurl:// exploit
wednesday july 18th, 2007
mozilla firefox 2.0.0.5 has been released and is currently being distributed to firefox 2 users via the application's built-in software update system. the browser upgrade fixes several security bugs, which are detailed in the firefox 2.0.0.5 section of the mozilla foundation security advisories page.
firefox 2.0.0.5 includes a fix for the firefoxurl:// security exploit, which allows an attacker to use microsoft internet explorer to trick firefox into executing malicious code. whether firefox or ie is responsible for the flaw has been a matter of debate over the past week. the mozilla foundation security advisory about the firefoxurl:// issue maintains that it's a problem in ie and notes that other applications could be exploited in the same way. others have argued that it's firefox's responsibility to vet incoming data (something 2.0.0.5 now does).
firefox 2.0.0.5 can be downloaded from the firefox product page. the firefox 2.0.0.5 release notes contain more general information about the upgrade. a similar update for mozilla thunderbird is expected shortly.
#1 clarification on the "argument"
by schapel
wednesday july 18th, 2007 6:12 am
reply to this message
just to clear the blame game up once and for all, both ie and firefox are to blame. according to thor larholm:
"internet explorer and firefox are both to blame. firefox could have registered their url protocol handler differently, for example with pure dde, but ie is still to blame for not escaping ” (quote) characters."
<<http://blogs.zdnet.com/security/?p=362>>
#12 re: clarification on the "argument"
by fattmattp
friday july 20th, 2007 10:22 am
reply to this message
well, at least one of them is now fixed. :-)
#2 mfsa 2007-24
by alexbishop <alex@mozillazine.org>
wednesday july 18th, 2007 6:19 am
reply to this message
mfsa 2007-24 at <http://www.mozilla.org/se…nce/2007/mfsa2007-24.html> is amusing. it starts off with a standard description of the problem, then segues into a a thoroughly post-modern discussion about the severity:
"dan says: 'stealing sensitive data' should be sg:high (possibly lowered to sg:moderate if it's a completely unreliable attack, involves unlikely user interaction, or not really any potential victim sites matching the criteria. there are enough ajaxy sites potentially vulnerable to stick with 'high') boris, which is it? can you massage this description into just the cases we know about?"
alex
#3 msie bug
by hwc
wednesday july 18th, 2007 7:20 am
reply to this message
good for firefox! it doesn't matter who's at fault. if it harms fx users, fx should fix it and let m$ squabble and point fingers and look like idiots. if it only happens when fx is installed on system, i assume people are running both browsers, side-by-side as a test. it's good to make fx look best and most concerned with their users' safety and protection.
#4 i agree
by eyesonly
wednesday july 18th, 2007 10:38 am
reply to this message
i agree with hwc in what he said above. the fact that mozilla fixed this first and foremost kind of leaves m$ sitting there now with egg on their faces showing the world just how much, and how serious they are, about their client's/user's security.
bravo mozilla! two thumbs up for yet another job well done!
amicalement,
eyes-only/l'peau-rouge
#5 x86_64 linux version ?
by mhenriday <mhenriday@gmail.com>
wednesday july 18th, 2007 12:01 pm
reply to this message
i fully agree - mozilla has acquited itself very well indeed in this incident - much better (to, i suspect, no one's surprise) than microsoft. but one question : is there a native x86_64 version for linux, or are we going to have to force the architecture to conform to 32-bit standards, as in so many other applications ?...
henri
#8 re: x86_64 linux version ?
by aaron44126
thursday july 19th, 2007 10:40 am
reply to this message
there is no official x86_64 version for linux directly from mozilla (never has been). you can build it yourself if you like, i believe there are instructions for this floating around the internet.
typically, if you have an x86_64 linux distro, an x86_64 version of firefox is provided by the people behind it and updates are delivered through the distro's online package system. (this is how it is in fedora anyway, which i use from time to time.)
#6 what is the status of thunderbird ?
by bjherbison <bj@herbison.com>
wednesday july 18th, 2007 5:07 pm
reply to this message
the us-cert says there's also a thunderbird 2.0.0.5.
<http://www.us-cert.gov/ca…techalerts/ta07-199a.html>
b.j.
#10 re: what is the status of thunderbird ?
by bjherbison <bj@herbison.com>
friday july 20th, 2007 1:23 am
reply to this message
to answer my own question, a thunderbird update is now available. b.j.
#7 useless to blame anyone
by kurtis
wednesday july 18th, 2007 5:48 pm
reply to this message
as i stated in the other topic, i launched the proof of concept from seamonkey, a fellow gecko application, not internet explorer. i don't see why ie should be blamed when it's not the only one that is vulnerable of executing the exploit. in any case, it's just good that it's fixed now. i don't really care who is at fault, just that there's an official fix for the problem.
#9 mozilla firefox, portable edition 2.0.0.5 released
by critternyc
thursday july 19th, 2007 12:46 pm
reply to this message
the portable version of firefox that runs from usb flash drives, ipods, portable hard drives, etc has been updated to 2.0.0.5 as well:
<http://portableapps.com/n…_firefox_portable_2.0.0.5>
#11 two questions
by deross
friday july 20th, 2007 9:28 am
reply to this message
1. with all the public disclosures about the vulnerability, why is access to bug #384384 still restricted? try viewing <https://bugzilla.mozilla.…rg/show_bug.cgi?id=384384>
2. what purposes do the firefoxurl and firefoxhtml protocols serve? i have seen comments that the protocols are for interfacing with windows vista but no specifics.
#13 i use suse linux...so i dont need this release ;)
by caetck
thursday july 26th, 2007 5:06 pm
reply to this message
i use suse linux...so i dont need this release ;)
thank goodness for that!
~amber~
post talkback
you must be a mozillazine member to post (note that this is not the same as forum membership). please keep your comments friendly! no html is allowed in your text — urls will be converted to hyperlinks (for example, type only http://www.example.com/).
login:
password:
title:
submit news
forums
weblogs (feedhouse)
knowledge base
chat
members
store
about
fr
ja
de
ko
es
hu
mozilla.org
releases
browse the source
today's checkins
tree status
bugzilla
report a bug
query for bugs
today's bugs
bug #:
mozdev.org
xulplanet
mozillazine and the mozillazine logo copyright © 1998-2007 mozillazine. all rights reserved.
privacy policy
Acceuil
suivante
mozilla firefox 2.0.0.5 released with fix for firefoxurl:// exploit - mozillazine talkback
Dial-a-fix - TechWiki The Gossip Fix Modernfix.com Motorpsycho - You Gotta Hang On To The Trip You're On... PNG in Windows IE Pants'Fix trousers solution men homme - Vidéos Actualités Mode ... Geek to Live: How to fix Mom and Dad's computer REGO-FIX, Swiss Precision Tools - collets, toolholders, nuts ... Top case Topcase bleu claire fix. adossoir moto scoot en vente sur ... Snowboard Nitro Spectrum 157 + Fix snow Nitro en vente sur eBay.fr ... IBM Support: Fix Central Perma-Fix frontline: the alternative fix PBS FixMyStreet Tom Feiza, Mr. Fix-It Inc. Recette du cocktail Brandy Fix :: Les Cocktails Delirium Recette du cocktail Whisky Fix :: Les Cocktails Delirium Suggest A Fix PC Support Forums (Powered by Invision Power Board) Jamendo : 433 erOs - Fix up YouTube - coldplay fix you The Nicks Fix - The Official Stevie Nicks Website fix fixations Accessoires - Vidéoprojecteurs - Electronique ... PCSC - Internet - Winsock Fix A List Apart: Articles: Fix Your Site With the Right DOCTYPE! Notes/Domino Fix List - Lotus Notes/Domino V7.0.2 Fix Pack 2 ... SONY BMG MUSIC ENTERTAINMENT - cp.sonybmg.com/xcp acheter snowboard - achat équipement snowboard : Glisshop FIX What Languages Fix Serigraphie, serigraphie industrielle, impression numerique, Lille Hot Fix for 'garbage in folder contents pane' bug :: Modules pour ... Django Weblog Security fix released Disque Pharma-Fix en Silicone/PTFE de 20mm Paul Fix Le Blog de la Mobilité Data: Zoom sur SFR One Fix Connected ... Data Recovery Disk Recovery Hard Drive Recovery software by ... The Sunshine Fix [ Esport Magazine - EsportsFrance - Rotterdam est sérieux, FiX non ] fix buffalo today gratuit : bug in Excel 2007 Calculation Fix available. : tout le ... Fix Our Ferals Livre The PC Doctor's Fix-it-yourself Guide - A. Kingsley-Hughes ... Microsoft Excel : Calculation Issue Update (Fix Available) Josh Fix Pack Ski+Fix avec le guide du matériel ski/snow d'annuaire-ski.com The Fix - Yeah:No Recordings Get The Curse > pivx_ - home & office NANIA RÉHAUSSEUR DREAMWAY SP FIX SILVER acheter comparer prix ... BigFix :: Home Lauren Fix: The Car Coach ~ Automotive Expert ThinkGeek :: No, I will not fix your computer Security Fix Live - washingtonpost.com Digg - How Nintendo Can Fix Wii's Storage Space Problem without a ... BBC - Languages - Spanish Quick Fix NPR : Oprah Pledges to Fix School amid Abuse Reports Geotag your blog, site or feed Address Fix WordPress 2.0.6: Feedburner issue, and fix « Mark on WordPress High-fi fix for malfunctioning Guitar Hero III Les Paul - Engadget FIX, starring Shawn Andrews, Olivia Wilde, Megalyn Echikunwoke ... WinSock XP Fix 1.2 Freeware download page - tested and reviewed ... Tricky fix-up plan devised for space station- msnbc.com