Mozilla warns of security holes, updates Firefox Users urged to upgrade to avoid possible attacks

Computer World ^ | Feb 26, 2005 | Joris Evers

[demlosers]

FEBRUARY 26, 2005 (IDG NEWS SERVICE) - Several security vulnerabilities in Firefox and the Mozilla Suite of Internet software put users of the open-source products at risk of hacker attacks, the Mozilla Foundation warned this week.

The organization released Firefox 1.0.1, which fixes 17 security flaws in the popular Web browser. The most serious flaws could allow an attacker to gain full control over a victim's PC, the Mozilla Foundation said in a statement. Firefox 1.0 was released in November and has since been downloaded more than 27 million times.

Firefox 1.0.1 also includes several fixes to guard against spoofing of Web addresses and the security indicator on Web sites. These vulnerabilities could be exploited for phishing scams, which typically use spam e-mail messages to drive people towards fraudulent Web pages that look like legitimate e-commerce sites.

One of the changes made in Firefox 1.0.1 is in the way the browser handles international domain names (IDNs). These names are now displayed differently to make it easier to spot spoofed Web sites. Because of the way Firefox displayed IDNs, it was possible to register domain names with international characters that resembled other common characters, thus tricking users into believing they were on a trusted Web site.

For protection against possible exploitation of the security flaws, users should download and install the latest version of Firefox, the Mozilla Foundation said. The organization does not offer patches to fix the problems without having to install a new browser.

Most of these flaws also affect the Mozilla Suite, which includes a Web browser, an e-mail client, Internet Relay Chat client and Web page editor. However users of the suite are left vulnerable because no fixes are yet available. Mozilla 1.7.6, the update that fixes the issues, is due out in "a couple of weeks," according to a Mozilla Foundation spokesman.

The public warning of the security vulnerabilities is evidence that the Mozilla Foundation's products give a false sense of security, charged Thor Larholm, a researcher with PivX Solutions Inc.,a Newport Beach, Calif.-based firm that specializes in security for Windows-based systems. "We have to remember that all software has security vulnerabilities, the only difference is in how we anticipate them and inform the world about their existence," he said via e-mail.

[no-s]

The public warning of the security vulnerabilities is evidence that the Mozilla Foundation's products give a false sense of security, charged Thor Larholm

ha ha ha. ho ho ho. I'm putting you into the Microsoft suck-up weenie file, Thor. Sorry to let you down, but denial is what leads to a false sense of security.

[sigSEGV]

Thor used to be a huge Microsoft basher until they bought him out.

[digger48]

I've got a bug called "180 Solutions"Adware dumped on me, had to shut that 'puter down and go to backup. The manual fix is kinda scary for a novice.

Is there anything safe out there? Are the spyware and anti-adware programs worth it? How long before they are obsolete?

[holymoly]

Are the spyware and anti-adware programs worth it? How long before they are obsolete?

Check my FR homepage.

"Ad-Aware SE" and "Spybot Search and Destroy" are free. Ad-Aware SE is an on-demand scanner. Spybot offers both on-demand and full-time protection.

Both update in a manner similar to anti-virus programs.

If you're unfamiliar with Ad-Aware SE and/or Spybot - Search and Destroy, I suggest you read the "Using..." tutorials (under "How-to and Tutorials").

[digger48]

Thanks! I knew someone here would have some info, I was glad to see a related thread to post on.

[Bush2000]

ha ha ha. ho ho ho. I'm putting you into the Microsoft suck-up weenie file, Thor.

And you go into the dumbass-with-blinders file.

[Poser]

Every piece of complex software has potential problems. Firefox is no different from other programs in that respect.

I use it because it is the best browser on the market right now. If MS improves IE so that is better than Firefox, I'll use it.

[Chewbacca]

When updating Firefox do you just run the setup program or do you need to uninstall the older 1.0 version before installation of the new one?

Just asking.

[backhoe]

I've got a bug called "180 Solutions"Adware dumped on me, had to shut that 'puter down and go to backup. The manual fix is kinda scary for a novice. Is there anything safe out there? Are the spyware and anti-adware programs worth it?

 

Things you need--(all FREE)
Anti-Virus
AVG Anti-Virus version 7 (free) release available...

 Avast
Firewall
Kerio(Direct Download) Zone Alarm

 If are using zone alarm it may slow your PC. Try Outpost Firewall http://www.agnitum.com/products/outpost or Sygate Firewall http://www.sygate.com/ both have FREE and Pro versions and are heads above ZA.
Misc.
IE Spyads SpywareBlaster Spyware Guard
Windows Update- you must keep updated, it is the start of a secure system-
get all CRITICAL Updates

Things you want(Still Free)
 

  I use Firefox PR1 and IMHO, beats the sox off MS Explorer. Life is good with tabs. Click the link and give it a try.

Ad-Aware
Spybot S&D

SpywareBlaster
MS MVP Hosts file

Mike Lin's Homepage and get the Startup Control Panel and Startup Monitor tools.

 

The best forum for malware removal:

-SWI Forums-

 

 
http://www.freerepublic.com/focus/f-news/1315720/posts

 Microsoft Releases Anti-Spyware Beta 1 To Public Today.
Microsoft.com ^

 

=================================================

 

 

Browser Wars, take two various FR links | 12-22-04 | The Heavy Equipment Guy http://www.freerepublic.com/focus/f-news/1306815/posts ...and let your compiler of links drop out of Lurk & Link mode for comment and advice: Ditch IE. Honest to God, almost anything else will give you fewer problems. Try and compare- use IE, then run Ad-Aware and Spybot Search & Destroy... then try another browser and repeat. You will be stunned at the garbage IE attracts. Keep your OS updated & patched. Run a hardware firewall-- with today's LAN's, it's easy. You need a hardware firewall. Use a software firewall, too-- if you don't, you'll never know how many times your PC is trying to "phone home" and send your info across the web.

[JoJo Gunn]

ping

[digger48]

Thanks for the info. I've got Spybot S&D running on dirty computer now. Didn't realize what a double life my machine has been living.

[backhoe]

I've got Spybot S&D running on dirty computer now. Didn't realize what a double life my machine has been living.

My wife cleaned out 567 pieces of malware from the office computer just using Ad-Aware SE. MSantispyware found 6 more. You have to run more than one scan to get everything.

The people who write and propagate this garbage should be horsewhipped.

[yellowhammer]

bump

[Terpfen]

Mozilla recommends you uninstall 1.0 before installing 1.0.1, due to a long-standing installation bug that really should be fixed (along with a few other nagging bugs, IMO.)

You won't lose your settings just by uninstalling Firefox--you'd have to manually delete your profile, which is stored in a directory separate from your /Mozilla Firefox directory, to lose all that. So the process is perfectly safe, just extremely annoying.

[Terpfen]

IMO, Webroot Spysweeper and MS Anti-Spyware should be added to everyone's reflexive impulse to recommend Ad-aware and Spybot. It takes more than one program to catch everything, and even though Spysweeper is a 30-day trial and Anti-Spyware is in beta, they'll still catch whatever filters past Ad-aware and Spybot.

[general_re]

There are scattered reports of problems with extensions if you try to install overtop an existing installation, so I would suggest doing one of two things. A) uninstall 1.0 and install 1.0.1 (your settings should be preserved if you do this), or; B) wait a week for the update servers to go live with the fix, and upgrade from within Firefox itself.

[holymoly]

I personally only recommend freeware/open source software.

I ignore Microsofts' anti-spyware utility because it is reportedly for Windows XP only. As you know, there are still many people using Windows 9x, 2000, etc.

[Terpfen]

Understandable, but I don't think options should be eliminated when it comes to spyware. Ad-aware and Spybot simply don't eliminate everything.

[general_re]

Actually, it runs fine on 2000, but not on any of the 9X versions.