Posted on 01/06/2005 11:10:03 AM PST by itsamelman
Mozilla vulnerabilities identified Most serious bug affects all versions of Mozilla prior to 1.7.5 and could result in system crash
By Matthew Broersma, Techworld January 06, 2005
Users of the Mozilla and Firefox browsers and the Thunderbird e-mail client may be vulnerable to flaws that could allow an attacker to spy on or take over a system, according to security researchers.
The most serious bug affects all versions of Mozilla earlier than 1.7.5, and could result in a system crash or the execution of malicious code, the Mozilla Project said. A boundary error in the way Mozilla handles "news://" addresses can be used to cause a heap-based buffer overflow, which crashes the application and may allow for code execution, according to an advisory from Maurycy Prodeus of iSEC Security Research, who discovered the flaw.
An attacker could exploit the bug by creating an overly-long "news://" link, distributed in an e-mail or on a Web page, and enticing a user to click on it. Such methods have been successfully used to spread worms. Mozilla Version 1.7.5 fixes the problem. Independent security research firm Secunia gave the bug a "highly critical" rating.
To exploit the flaw, the attacker must point to a real news server that is accessible. Prodeus created a proof-of-concept file that demonstrates the bug.
Firefox and Thunderbird are affected by less serious problems. The first is a vulnerability in the way they store temporary files -- the files are sometimes stored with predictable names and in a format that allows anyone to read them. This means a local attacker could easily read the contents of another user's attachments or downloads, according to researchers.
Finally, a Secunia researcher discovered a way of spoofing the names of file downloads in Firefox. A malicious site could use the bug to disguise the true nature of files the user is downloading, or to get information on the presence of specific files on the local system.
These bugs are all fixed in Firefox 1.0 and newer, and Thunderbird 0.9 and newer.
In recent months many users have begun switching to browsers such as Firefox and Mozilla because of increasingly serious security risks affecting Microsoft's (Profile, Products, Articles) dominant Internet Explorer. However, the newfound popularity of the Mozilla-based browsers has been accompanied by greater scrutiny by security researchers, and the regular discovery of new flaws.
I use Mozilla and i can attest to the fact that it is Pop-up and Ad free....it works very well and i have not experienced the "Vulnerabilities"
It beats the pants off of Microsoft IE
This article was brought to you by Microsoft. If we're going to crash and burn, we want our competitors destroyed in the process. Microsoft, if you don't find a security flaw in our software, its free. - Patches O'Brien, V.P. Security Updates for Life.
LOL. Exactly.
No. FF is a stand alone app. It shouldn't affect any other app on your system. I use FF and IE. There's no conflicts.
Six weeks - 0 spyware/malware/adware with Firefox. So far, with the exception of 3 critical pages that I have to run at work and a couple of video pages, Foxfire has worked pretty well.
Bump
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.