Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Blogs
    • Security Watch

    Most Critical Firefox Flaw Remains Unzapped

    By
    Lisa Vaas
    -
    February 24, 2007
    Share
    Facebook
    Twitter
    Linkedin

      The most critical flaw in Firefox hasn’t been addressed in the update released today.

      Mozilla’s out with Firefox updates and is urging that customers upgrade immediately to fix critical security holes and stability issues. Issued today were Firefox 1.5.0.10, Firefox 2.0.0.2, and Thunderbird 1.5.0.10, available for Windows, Mac and Linux at getfirefox.com and getthunderbird.com.

      Mike Schroepfer, vice president of engineering, said in a written release that the update resolves Firefox’s critical location.hostname vulnerability, along with other unspecified security and stability issues.

      Unmentioned was another critical flaw, discovered yesterday, having to do with memory corruption and possible PC takeover.

      Digging into the details of the fixes initially revealed that the memory corruption issue was indeed fixed in 2.0.0.2.

      However, a Mozilla spokesperson has said that she has received confirmation that the memory corruption bug (bug 371321) has not been addressed in the 2.0.0.2 update. “Mozilla is investigating the issue but does not have a comment at this time,” she said in an e-mail exchange.

      The full list of fixes in that release:

      MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks. This is a high severity flaw, with the vulnerability able to be used to gather sensitive data from sites in other windows or to inject data or code into those sites, requiring no more than normal browsing actions. MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow MFSA 2007-05 XSS and local file access by opening blocked popups MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot MFSA 2007-03 Information disclosure through cache collisions MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2). This is the most critical of the bunch, with the vulnerability able to be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

      The rest of the list is composed of flaws that are moderate to low risk. The critical location.hostname flaw, along with the other low- to medium-risk flaws, make the upgrade advisable, but Firefox at this point appears to still be vulnerable to the worst of the bunch.

      *Note: This posting was changed to reflect Mozilla’s update on bug 371321 not having been addressed in the update.

      Avatar
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×