DescriptionSome vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to manipulate certain data, bypass certain security restrictions, disclose sensitive information, or compromise a user's system.
1) An integer overflow error exists in the processing WOFF fonts. This can be exploited to cause a heap-based buffer overflow and execute arbitrary code via a web page embedding a WOFF font with an overly large "origLen" field.
2) A use-after-free error in the libpr0n library when handling animations received via the "multipart/x-mixed-replace" mime-type where the bits-per-pixel changes may be exploited to execute arbitrary code.
3) An error in the implementation of the "window.location" JavaScript object can be exploited to bypass access restrictions imposed by certain plugins and disclose data from a different domain or from the local system.
4) Multiple errors in the browse engine can be exploited to corrupt memory and potentially execute arbitrary code.
5) An error related to the implementation of the "addEventListener()" and "setTimeout()" methods can be exploited to capture keystroke events from a cross-origin frame or window.
This is related to vulnerability #3 in:
SA26095
6) An error in the implementation of security checks used when preloading images can be exploited to perform privileged actions via certain add-ons, by specifying a restricted protocol.
7) An error in the processing of stylesheets used in XUL documents can be exploited to pollute the XUL cache and change browser style attributes.
8) An error in the implementation of the asynchronous Authorization Prompt can be exploited to potentially capture HTTP authorization credentials used for another domain.
9) Multiple errors in the browse engine can be exploited to corrupt memory and potentially execute arbitrary code.
10) A use-after-free error in the parsing of .XUL files with "<option>" elements appended to a XUL tree "<optgroup>" may be exploited to execute arbitrary code.
11) A use-after-free error within the implementation of the "window.navigator.plugins" object may be exploited to execute arbitrary code.
12) An error related to mouse clicks and drag and drop operations in combination with a browser applet can be exploited to execute arbitrary script code with "chrome" privileges.
13) A vulnerability is caused due to an error in the TLS protocol while handling session re-negotiations.
For more information:
SA38400
14) An error when processing XML documents can be exploited to load restricted resources and bypass security policies set by the browser or installed add-ons.
Note: This also fixes a problem with image "src" tags pointing to resources redirecting to a "mailto:" URI, triggering a launch of the external mail handler application.
The vulnerabilities are reported in versions prior to 3.6.2. Solution
Update to version 3.6.2 and set the "security.ssl.require_safe_negotiation" preference to "true".
Provided and/or discovered by
1) Reportedly a module for VulnDisco Pack. Independently reported by regenrecht via ZDI.
2, 10, 11) regenrecht, reported via ZDI
The vendor credits:
3) Blake Kaplan
4) Bob Clary, Jesse Ruderman, Bob Clary, and Carsten Book
5) moz_bug_r_a4
6) Josh Soref, Nokia
7, 14) Wladimir Palant
8) Justin Dolske
9) Martijn Wargers, Josh Soref, Ehsan Akhgari, and Jesse Ruderman
12) Paul Stone
Changelog
Further details available in Customer Area
Original Advisory
Mozilla:
http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/
http://www.mozilla.org/security/announce/2010/mfsa2010-08.html
http://www.mozilla.org/security/announce/2010/mfsa2010-09.html
http://www.mozilla.org/security/announce/2010/mfsa2010-10.html
http://www.mozilla.org/security/announce/2010/mfsa2010-11.html
http://www.mozilla.org/security/announce/2010/mfsa2010-12.html
http://www.mozilla.org/security/announce/2010/mfsa2010-13.html
http://www.mozilla.org/security/announce/2010/mfsa2010-14.html
http://www.mozilla.org/security/announce/2010/mfsa2010-15.html
http://www.mozilla.org/security/announce/2010/mfsa2010-16.html
http://www.mozilla.org/security/announce/2010/mfsa2010-18.html
http://www.mozilla.org/security/announce/2010/mfsa2010-19.html
http://www.mozilla.org/security/announce/2010/mfsa2010-20.html
http://www.mozilla.org/security/announce/2010/mfsa2010-22.html
http://www.mozilla.org/security/announce/2010/mfsa2010-23.html
http://www.mozilla.org/security/announce/2010/mfsa2010-24.html
Intevydis:
https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/
http://intevydis.blogspot.com/2010/03/firefox-hoax-or-not_04.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-047/
http://www.zerodayinitiative.com/advisories/ZDI-10-048/
http://www.zerodayinitiative.com/advisories/ZDI-10-049/
http://www.zerodayinitiative.com/advisories/ZDI-10-064/
Other references
Further details available in Customer Area Deep Links
Links available in Customer Area
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new
versions, exploits, faulty patches, links, and other relevant data by
posting comments to this Advisory. You can also send this information to
vuln@secunia.com
| User |
Message |
[+] |
|
jasasecunia
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
This reply has been minimised due to a negative Relevancy Score.
|
| User |
Message | [-] |
|
jasasecunia
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
22nd Feb, 2010 13:47 |
Score: -6
Posts: 1
User Since: 22nd Feb 2010
System Score: N/A
Location: FR
Last edited on 22nd Feb, 2010 13:47 |
secunia, did you test it yourself?
|
|
|
| Was this reply relevant? |  | +5 | |  | -11 | |
|
|
|
RobertMaier
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
RobertMaier
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
22nd Feb, 2010 16:03 |
Score: -2
Posts: 1
User Since: 22nd Feb 2010
System Score: N/A
Location: AT
Last edited on 22nd Feb, 2010 16:03 |
This report seems to be a hoax. At the Forum-Post, some users already write that the exploit does not work. Secunia seems to did not test it, but just used the information written by some unserious "russian security researcher" (aka. blackhat hacker) who wants to sell his product.
|
|
|
| Was this reply relevant? | | +2 | | | -4 | |
|
|
|
azbob
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
23rd Feb, 2010 03:52 |
Score: 13
Posts: 2
User Since: 23rd Feb 2010
System Score: N/A
Location: US
Last edited on 23rd Feb, 2010 03:52 |
From the Mozilla Security Blog:
Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response.
Mozilla takes all reports of security vulnerabilities seriously. As always, if you have information about security issues, please send details to security@mozilla.org.
Lucas Adamski, Mozilla Security
|
|
|
| Was this reply relevant? | | +5 | | | -1 | |
|
|
|
Dr Zen
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
drfeedback
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
drfeedback
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
23rd Feb, 2010 16:53 |
Score: -5
Posts: 1
User Since: 23rd Feb 2010
System Score: N/A
Location: US
Last edited on 23rd Feb, 2010 16:53 |
I noticed that there are no posts newer than Feb 4 on the VulnDisko thread where this was first announced. Posting stopped shortly after "Mario23" questioned the validity of this vulnerability claim because he couldn't duplicate it. This seems suspicious, yet Secunia grabbed it with both hands and ran with it.
|
|
|
| Was this reply relevant? | | +1 | | | -6 | |
|
|
|
Anthony Wells
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
23rd Feb, 2010 17:45 |
Score: 743
Posts: 1,766
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
|
Lack of co-operation on a security matter from whatever site has unpleasant overtones for me/us the common user . I feel fairly secure as I run my browsers in a sandbox ("Sandboxie") ; but I would expect Secunia to comment further on this problem having put out an Advisory on a "muddy" situation , especially if they can confirm the exploit and Mozilla don't seem able .
Take care
Anthony
--
It always seems impossible until its done.
Nelson Mandela
|
|
|
| Was this reply relevant? | | +3 | | | -1 | |
|
|
|
jeng1111
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
jeng1111
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
26th Feb, 2010 14:29 |
Score: -4
Posts: 1
User Since: 26th Feb 2010
System Score: N/A
Location: US
Last edited on 26th Feb, 2010 14:29 |
Not just secunia, but everyone has taken this and run with it. It ends up being a kind of "slander" against firefox. I just received word about it in the SANS vulnerability newsletter today (http://www.sans.org/newsletters/risk/display.php?v...) [link will not be valid until they archive the newsletter, for some reason I can't find the current @RISK newsletter on their website.] Many of these alerts are reading "Vendor confirmed, updates available," but as far as I can see, this is neither vendor confirmed, nor are updates available at this point for ff 3.6.
|
|
|
| Was this reply relevant? | | +2 | | | -6 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
27th Feb, 2010 10:57 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 27th Feb, 2010 10:59 |
Due to "unconfirmed" vulnerabilities like these, both Firefox and the Open source community get bad press.
Others like Microsoft (Internet Explorer), Google (Chorme), Opera or Apple (Safari) will be rubbing their hands with joy!
An uncofirmed vulnerability is better than no vulnerability for the opposition to post more fud and continue with mud slinging.
A black hatter says that his software has found a vulnerability in firefox, but he refuses to disclose it and instead says that he will divulge it to people who buy his software.
So why does Secunia and other organizations give unnecessary weight to claims like these?
Doesn't Secunia have the resources to test out these claims? or is their job only to report "vulnerabilities" only and not care a damn about whether they are real or not?
I have a lot of respect for Secunia, but I think that they should confirm any vulnerability and only then should they rate it as "critical" "non-critical" or whatever!
The solution you've suggested seems to make no sense at all!
"Do not visit untrusted websites or follow untrusted links." Isn't this the "golden" rule for all browsers?
Please contact the Mozilla team or better still, Evgeny Legerov and then confirm the bug if it does exist.
|
|
|
| Was this reply relevant? | | +1 | | | -3 | |
|
|
|
TiMow
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
TiMow
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
27th Feb, 2010 13:26 |
Score: 336
Posts: 408
User Since: 26th Jun 2009
System Score: 100%
Location: CH
|
@0puns0r3s
I am in agreement with you, and in the main the other respondents to this thread.
Firefox is my browser of choice - I find it more secure,easier to update and use.
I was happy with 3.6, but until this current issue is resolved, felt obliged to downgrade to 3.5.8, as a compromise, as this was reported as still being secure.
This is a related thread and includes a Secunia Official response, given, when questioned about verification.
http://secunia.com/community/forum/thread/show/359...
For me the information is still not conclusive - time will tell, and hopefully will not have an adverse effect on the use of Firefox.
After all there are many end-users who have grown used, almost to a degree of nonchalance, who are happy to use IE and Chrome and their inherent insecurities, on a daily basis.
TiMow
--
Computing is not yet a perfect science - it still requires humans.
|
|
|
| Was this reply relevant? | | +0 | | | -5 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
27th Feb, 2010 17:36 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 27th Feb, 2010 18:56 |
@ TiMow: I've been sandboxing any browser I use for a very long time:). To be very honest, I don't think that anyone should downgrade because:
1. If it's affecting 3.6, it could be affecting 3.5 and earlier versions.
2. A good combination of addons like no script and safe browsing should take care of any threats around
3. Sandboxing the browser is one good step towards securing it.
4. To make things even more safer, I won't be doing stuff like netbanking or paying online bills (guess I'm more paranoid:) using Firefox.
If you can, please let me and others reading this thread on how exactly this vulnerability could affect users. That would be very,very helpful. Thanks!
|
|
|
| Was this reply relevant? | | +2 | | | -1 | |
|
|
|
TiMow
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
27th Feb, 2010 19:40 |
Score: 336
Posts: 408
User Since: 26th Jun 2009
System Score: 100%
Location: CH
|
@0puns0r3s
I am unsure if your last question re. vulnerability was directed specifically at me, or the wider community in general.
As I implicated above,my feelings are to question the authenticity of this vulnerability, and not to prove its existence.
But I try to base my decisions / choices on the available information. If as PSI users we believe in the benefits that it offers in reporting on insecurities, then we should therefore act on the information provided - which is what I have done re. changing from 3.6 back to 3.5.8 - which as of a scan today, still shows as secure (according to Secunia).
But I too have seen reports telling of multiple vulnerabilities in other versions - 3.0, 3.5; and in one case listing 3.5.8.
I think there is a lot of scaremongering going on, and almost to levels of conspiring against Mozilla.
I take on board your other points, and this is the 2nd time that the issue of sandboxing has been brought up. As of yet I dont use one, but this will probably have to change. I also try to avoid add-on overload, but will look into your recommendations.
TiMow
--
Computing is not yet a perfect science - it still requires humans.
|
|
|
| Was this reply relevant? | | +2 | | | -1 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
28th Feb, 2010 08:29 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 28th Feb, 2010 08:30 |
(unknown source)
@0puns0r3s
I am unsure if your last question re. vulnerability was directed specifically at me, or the wider community in general.
TiMow
@ TiMow: Yes, that's what I meant:)...Would really appreciate it if someone from Secunia or anyone reading this thread could throw some light on how exactly this vulnerability will/could affect users of Firefox 3.6.
|
|
|
| Was this reply relevant? | | +1 | | | -5 | |
|
|
|
mAkree
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
28th Feb, 2010 10:40 |
Score: 1
Posts: 1
User Since: 28th Feb 2010
System Score: N/A
Location: UK
Last edited on 28th Feb, 2010 10:40 |
I appreciate that Secunia flags the unconfirmed threat. A discussion is triggered which I find beneficial . For example now I will look into the option of instaling a sandbox sw although I am concerned of its effect on my already overloaded system.
Regarding the "fuss" about issueing alarms for unconfirmed threats or not, both sides of the question are right, In my view - and wish list - would be that Secunia inserts a further column in the Unsecure Overview Screen entitled "Confirmed/Unconfirmed Status" and that the concept of "confirmed" be explicitely stated eg, tested by Secunia or tested by other reliable organisation.
I want to know of possible security threats AND if they are confirmed or unconfirmed.
@0puns0r3s, thanks for the practical advice you put in your comment.
|
|
|
| Was this reply relevant? | | +2 | | | -1 | |
|
|
|
Anthony Wells
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
28th Feb, 2010 12:12 |
Score: 743
Posts: 1,766
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 28th Feb, 2010 12:19 |
I fell into a sandbox at the start of my PC ownership thanks to Ian "Gizmo" Richards and his late (much lamented) newsletter . He now has a very well (volunteer) run website where you can find "unbiased" advice on as much FREE software as you need to bring your system to a grinding halt :))
Following his advice , my security is based aruond an Internet Security suite , a sandbox and a "vulnerability" checker ; with back up "on demand" A/V , A/S and rootkit scanners - enough overkill to satiate my paranoia ,which does not preclude crossing fingers , smiling at the PC Wizard , etc. - you can read his ideas for yourself , if you have time :-
http://www.techsupportalert.com/how-to-secure-your...
Hope this helps .
Take care
Anthony
PS: I have Ff as default , but also run Chrome in my sandbox - even though it has it's own sandbox system - with no noticeable slowdown , apart from the initial sandbox start up ; I can live and surf "happily" with that .
--
It always seems impossible until its done.
Nelson Mandela
|
|
|
| Was this reply relevant? | | +1 | | | -1 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
28th Feb, 2010 19:30 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 28th Feb, 2010 19:38 |
(unknown source)I fell into a sandbox at the start of my PC ownership thanks to Ian "Gizmo" Richards and his late (much lamented) newsletter . He now has a very well (volunteer) run website where you can find "unbiased" advice on as much FREE software as you need to bring your system to a grinding halt :))
Following his advice , my security is based aruond an Internet Security suite , a sandbox and a "vulnerability" checker ; with back up "on demand" A/V , A/S and rootkit scanners - enough overkill to satiate my paranoia ,which does not preclude crossing fingers , smiling at the PC Wizard , etc. - you can read his ideas for yourself , if you have time :-
http://www.techsupportalert.com/how-to-secure-your...
Hope this helps .
Take care
Anthony
PS: I have Ff as default , but also run Chrome in my sandbox - even though it has it's own sandbox system - with no noticeable slowdown , apart from the initial sandbox start up ; I can live and surf "happily" with that .
@ Anthony: You sound even more "paranoid" than me:)....But yes, it's each man for himself and each of us will have a different definition of what "computer security" is . I use a combination of Comodo Internet Security (just the firewall and Defense +) with Microsoft Security Essentials and gmer.
If I do have to run any unknown programs which I think could be a security risk, I use sandboxie.
I also do not store passwords relating to online banking. I simply store those in my pendrive.
This addon is best when it comes to auto login in Firefox (this is similar to Opera Wand):
https://addons.mozilla.org/en-US/firefox/addon/442...
best
0puns0r3s
|
|
|
| Was this reply relevant? | | +2 | | | -2 | |
|
|
|
Anthony Wells
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
Anthony Wells
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
28th Feb, 2010 19:47 |
Score: 743
Posts: 1,766
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
|
@OpunsOr3s ,
Nice overkill :)) I should have mentioned that my ISP "gives" me a modem with a Hardware Firewall that Kiefer Sutherland and his team would be proud of cracking !!
I noticed you get around a bit , you started in "AX" and now you're in "IN" ; great stuff "IT" ; apparently I'm in "FR" wherever that is meant to be , the local wine is good which is all that matters :)
Take care
Anthony.
--
It always seems impossible until its done.
Nelson Mandela
|
|
|
| Was this reply relevant? | | +1 | | | -3 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
1st Mar, 2010 09:28 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 2nd Mar, 2010 10:49 |
hey! you are observant. I did not set the country option properly. I'm from IN of course:)...India.
Ah! so you're from France...AKA the land of (good) wine:) (just joking!)
Hmm...Hardware Firewall sounds good! Guess that will take care of most of the risks.
and here's another exploit for IE 7 and 8. Seems to affect only XP and prior versions:):
http://www.computerworld.com/s/article/9163298/New...
and more jokes here for Safari Vulnerabilities:):
http://blogs.zdnet.com/security/?p=5568
At this rate, maybe we should all switch to the Lynx browser or something outdated like that?:)
|
|
|
| Was this reply relevant? | | +1 | | | -3 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
2nd Mar, 2010 19:43 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 2nd Mar, 2010 20:06 |
FF3.6 vs. FF3.5.8
FF3.6 reported as insecure (running 3.6)
FF3.5.8 reported as secure
If I revert to 3.5.8 then I have the Security Vulnerabilities in 3.5.8 that were fixed in 3.6
I'm at a loss to understand why Secunia reports FF3.5.8 as secure when FF3.6 fixed known security issues in 3.5.8
http://www.mozilla.org/security/known-vulnerabilit...
|
|
|
| Was this reply relevant? | | +0 | | | -2 | |
|
|
|
gtatler
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
gtatler
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
2nd Mar, 2010 22:21 |
Score: -4
Posts: 2
User Since: 24th Feb 2010
System Score: N/A
Location: N/A
Last edited on 2nd Mar, 2010 22:21 |
It's about time this was deleted. Absolutely ridiculous that this is still being flagged as insecure.
|
|
|
| Was this reply relevant? | | +0 | | | -2 | |
|
|
|
gtatler
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
gtatler
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
2nd Mar, 2010 22:21 |
Score: -4
Posts: 2
User Since: 24th Feb 2010
System Score: N/A
Location: N/A
Last edited on 2nd Mar, 2010 22:21 |
It's about time this was deleted. Absolutely ridiculous that this is still being flagged as insecure.
|
|
|
| Was this reply relevant? | | +0 | | | -2 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
4th Mar, 2010 10:41 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
|
The Inquirer has a slightly better article than most news sites about the vulnerability:
http://www.theinquirer.net/inquirer/news/1593564/f...
I seriously hope that Mozilla issues some kind of public statement or something of that sort to all users of Firefox.
Secunia, maybe you can change the status of the vulnerability to "less severe" or perhaps something like "unconfirmed"?
|
|
|
| Was this reply relevant? | | +1 | | | -0 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
4th Mar, 2010 17:24 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
How can or why should Secunia change their reporting....
as per this Secunia post below...Secunia has verified the threat....
as the threat has been verified by Secunia ....Secunia reported it and has no reason to modify their assessment. I hope Mozilla has reached out to Secunia.
Mozilla has been unable to verify the threat....Since Secunia has verified the threat...logically Mozilla would be reaching out to Secunia.
Question to Secunia: Has Mozilla asked for your help?
__________________________________________________ ___
E.Petersen Firefox patch
forgetaboutit45 24th Feb, 2010 08:42
Posts: 171
User Since: 1st Jul 2009
System Score: N/A
Location: Copenhagen, DK
Hi,
The Secunia researchers verify all exploits before issuing advisories.
Please refer too:
http://secunia.com/research/about/
http://secunia.com/products/corporate/VIF/
--
Kind regards,
Emil R. Petersen
Secunia PSI Support
Secunia PSI
http://secunia.com/vulnerability_scanning/personal
__________________________________________________ _______
Respectfully submitted
bjm-
|
|
|
| Was this reply relevant? | | +1 | | | -0 | |
|
|
|
RichardD
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
4th Mar, 2010 19:20 |
Score: 8
Posts: 3
User Since: 4th Mar 2010
System Score: N/A
Location: UK
Last edited on 4th Mar, 2010 19:20 |
"Verified" in this context doesn't mean what you think it means. Look at the title of the "Report Reliability" element:
"Secunia always verify the reports and the majority of reports are also tested by Secunia staff."
The fact that the report has been verified does not mean that Secunia have tested the vulnerability, or been able to reproduce it.
|
|
|
| Was this reply relevant? | | +1 | | | -0 | |
|
|
|
dmtj4125
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
dmtj4125
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
5th Mar, 2010 17:04 |
Score: -3
Posts: 2
User Since: 30th Jan 2010
System Score: N/A
Location: US
Last edited on 5th Mar, 2010 17:07 |
.
|
|
|
| Was this reply relevant? | | +0 | | | -3 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
5th Mar, 2010 18:27 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
Hello Richard D
Thanks for your feedback...I apologize I am unable to locate the info you post..
I do locate the following
Secunia Research Team
The Secunia Research team is comprised of a number of Secunia security specialists, who besides testing, verifying, and validating public vulnerability reports, also conduct their own vulnerability research in various products.
Since the inauguration of Secunia it has been our goal to be the most accurate and reliable source of Vulnerability Intelligence. We have achieved just that!
Being the world's best Vulnerability Intelligence source requires skilled and dedicated staff with a passion for vulnerabilities.
To reward our staff for their persistent efforts in verifying vulnerability reports and to ensure that they possess and hone their skills necessary to find vulnerabilities, we have awarded certain Secunia staff dedicated time to conduct vulnerability research.
The Secunia Research Team members spend some of their time researching various high-profile closed source and open source software using a variety of approaches, but focusing mainly on thorough code audits and Binary Analysis.
This allows them to sometimes discover hard-to-find vulnerabilities that are not normally found via e.g. fuzzing techniques and the approach has definitely paid off! Members of the Secunia Research Team have discovered critical vulnerabilities in many popular products from various vendors including: Microsoft, Symantec, IBM, Adobe, RealNetworks, Trend Micro, HP, Blue Coat, Samba, CA, Mozilla, and Apple.
__________________________________________________ ______
I read no Secunia text to indicate that "verified" does not mean "verified"
I read no Secunia text to indicate that... The fact that the report has been verified does not mean that Secunia have tested the vulnerability, or been able to reproduce it.
__________________________________________________ __________
How might Secunia verify a report absent testing to reproduce it.
Why would Secunia issue an insecure that has not been tested , verified and reproduced.
Secunia clearly states their mission:
The Secunia Research team is comprised of a number of Secunia security specialists, who besides testing, verifying, and validating public vulnerability reports, also conduct their own vulnerability research in various products.
Testing, Verifying, and Validating ~ As per Secunia the FF3.6 vulnerability has been tested , verified and validated.
My point is ~ How can / Why should Secunia change the insecure status of FF3.6 after all that testing, verifying and validating.
If Secunia processes are as diligently accurate as claimed then FF3.6 is insecure. Do you expect Secunia to rescind the insecure based on user complaints.
If I were Mozilla ... I would be reaching out to Secunia for help. Mozilla claims they are unable to gather any info from the person that reported the threat.
If Secunia has not reproduced this vulnerability then how can Secunia assign it a category level.
Mozilla is quiet and Secunia is sure they have a valid insecure Cat4 and reported as such.
Regards
bjm-
anytime Secunia official would care to chime in and correct / clarify this issue ...please !
|
|
|
| Was this reply relevant? | | +0 | | | -0 | |
|
|
|
RichardD
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
5th Mar, 2010 21:01 |
Score: 8
Posts: 3
User Since: 4th Mar 2010
System Score: N/A
Location: UK
Last edited on 5th Mar, 2010 21:01 |
"I am unable to locate the info you post.."
Hover your mouse over the "Available in Customer Area" text next to the "Report Reliability" label, and read the tool-tip:
"Vulnerability reports may vary in reliability depending on the sources. Secunia always verify the reports and the majority of reports are also tested by Secunia staff. Based on the findings during the verification and testing we also determine a reliability rating. E.g. reports from Microsoft are considered trusted and will be used directly in a Secunia advisory, however, Secunia may still choose to conduct further technical analysis and enhance / update the advisory based on this analysis."
Pay particular attention to the second sentence:
"Secunia always verify the reports and the majority of reports are also tested ..."
In other words, they have verified that the report looks genuine, but have not necessarily tested or reproduced the alleged vulnerability.
I don't expect Secunia to remove a vulnerability report based on user complaints, but I would expect them to make it clear whether they have reproduced the vulnerability, or even seen a believable demonstration of it.
At the moment, FF3.6 is listed as insecure because one person has claimed to have a working exploit. No details or demonstration has been made available, so nobody has any way of knowing whether this is genuine or a hoax. Given that Firefox is open-source, I find it hard to believe that there is only one person devious enough to find this supposed bug!
|
|
|
| Was this reply relevant? | | +0 | | | -0 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
5th Mar, 2010 23:00 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 5th Mar, 2010 23:00 |
@ Richard: You've put it so well! Thanks for that!
|
|
|
| Was this reply relevant? | | +0 | | | -2 | |
|
|
|
monsignor
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
monsignor
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
6th Mar, 2010 08:16 |
Score: -8
Posts: 3
User Since: 3rd Apr 2009
System Score: 100%
Location: US
|
After researching this vulnerability reported by secunia for about 1 week, I too would like to determine if secunia actually tested this claim.
I am looking to keep our users' machines clean and secunia and mozilla are not helping!
-jerryc
--
-jerryc
|
|
|
| Was this reply relevant? | | +1 | | | -3 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
6th Mar, 2010 15:09 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 7th Mar, 2010 10:42 |
To all those who have been following this thread:
Secunia has updated the links to include a blog post by the black hatter (who claimed to have discovered the vulnerability).
He says that the vulnerability does "exist" and furthermore he says "I've ignored emails from Nick Farrell and from Mozilla, please do not waste my and your time anymore".
In plain English, "I (may have ) found a vulnerability, however, since I'm a greedy guy:), I will not share this with Mozilla or the rest of the world. So if you want to know about it, pay up or shut up!"
However, he has also said "There are exists dozens of 0days in every browser, you can continue to use firefox as usual - I am writing this post using firefox.".
How nice:)....Bless you, sir!:)....So much for the open web.
Updated on March 7 2010: Looks like Evgeny Legerov has removed his blog about the Firefox Vulnerability. However, I've retrieved it through Google cache:)...For those interested here you go:
http://74.125.153.132/search?q=cache:4FlHH1qimvMJ:...
I think this is a Windows only flaw (correct me if I'm wrong:). These would be our options for now until Mozilla responds:
1. Sandbox the browser.
2. Do not visit unknown sites (already mentioned by Secunia)
3. Use addons like noscript to block out javascript, flash and silverlight
One more thing: Why can't a company like Secunia or Mozilla simply buy the Vulndisc software package and check out the vulnerability themselves?
|
|
|
| Was this reply relevant? | | +1 | | | -0 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
6th Mar, 2010 18:23 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 8th Mar, 2010 20:22 |
Hello RichardD & 0puns0r3s
Thank you for keeping this issue live....
Thank you for your informative helpful posts...
-------------------------------------------------- -
My purpose for posting Secunia's mission statement was to solicit a response from Secunia official to stand behind their statement.
"The Secunia Research team is comprised of a number of Secunia security specialists, who besides testing, verifying, and validating public vulnerability reports, also conduct their own vulnerability research in various products"
-------------------------------------------------- ----
The above Secunia statement in no way suggests that Secunia has only verified that the report looks genuine, but may have not necessarily tested or reproduced the alleged vulnerability. The Secunia mission statement text asserts - testing, verifying, and validating public vulnerability reports, also conducting their own vulnerability research in various products. Testing, Verifying, Validating and Conducting inhouse Vulnerability Research. Again, how would Secunia assign a Cat4 absent Testing, Verifying, and Validating.
I see no reason to excuse Secunia based upon "the majority of reports are also tested ..."
How would a threat rate a Cat4 if it were not Tested, Verified and Validated.
How would a threat rate a Cat4 if Secunia has not reproduced the vulnerability, or even seen a believable demonstration of it.
This user either has to accept on faith and the past performance of Secunia that the validity of this Secunia reported threat is accurately reported or this user must call in to question all Secunia reporting.
I do not pay for Secunia reporting...so, I can not hold Secunia to my standards. All I have is my trust in and the past performance of Secunia.
If I paid for Secunia... I would expect them to make it clear whether they have Tested, Verified & Reproduced the Vulnerability, or even seen a believable demonstration of it.
RichardD & 0puns0r3s ... how is the Cat4 rating determined absent Testing, Verifying, and Validating.
Do I accept the accuracy for this Secunia reporting or Do I call into question all Secunia reporting.
Quandary,
bjm-
|
|
|
| Was this reply relevant? | | +0 | | | -3 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
8th Mar, 2010 08:54 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 8th Mar, 2010 10:30 |
@ bjm-You've asked some very good questions and Secunia are the only ones who could give a proper answer:)...Regarding the Firefox vulnerability:
1. To put it very bluntly, we only have the hacker's words right now that "a vulnerability does exist". No other person has come forward saying that "there is a vulnerability"....
(unknown source)
"I am unable to locate the info you post.."
Hover your mouse over the "Available in Customer Area" text next to the "Report Reliability" label, and read the tool-tip:
"Vulnerability reports may vary in reliability depending on the sources. Secunia always verify the reports and the majority of reports are also tested by Secunia staff. Based on the findings during the verification and testing we also determine a reliability rating. E.g. reports from Microsoft are considered trusted and will be used directly in a Secunia advisory, however, Secunia may still choose to conduct further technical analysis and enhance / update the advisory based on this analysis."
Pay particular attention to the second sentence:
"Secunia always verify the reports and the majority of reports are also tested ..."
In other words, they have verified that the report looks genuine, but have not necessarily tested or reproduced the alleged vulnerability.
I don't expect Secunia to remove a vulnerability report based on user complaints, but I would expect them to make it clear whether they have reproduced the vulnerability, or even seen a believable demonstration of it.
At the moment, FF3.6 is listed as insecure because one person has claimed to have a working exploit. No details or demonstration has been made available, so nobody has any way of knowing whether this is genuine or a hoax. Given that Firefox is open-source, I find it hard to believe that there is only one person devious enough to find this supposed bug!
Like Richard D, I find it very hard to believe that only one person has been able to find the vulnerability given the fact that Firefox's code is open source!
Here is a blog post by Sebastien Klipper and a response by Secunia's CSO Thomas Kristensen. Secunia are actually "admitting" that "This particular report is a bit special because of the lack of information available.". Plain English: We can't say for sure that such a vulnerability exists!:)
Blog post: http://blog.psi2.de/en/2010/02/20/going-commercial...
I've posted there...Let's wait and watch:)
|
|
|
| Was this reply relevant? | | +1 | | | -5 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
8th Mar, 2010 19:07 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 8th Mar, 2010 20:25 |
Hello 0puns0r3s
Looks like Opera and Secunia are working together... http://secunia.com/blog/86
Hopefully Mozilla will follow...
Quandary continues?
bjm-
|
|
|
| Was this reply relevant? | | +0 | | | -5 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
9th Mar, 2010 10:08 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 9th Mar, 2010 10:14 |
@ bjm- I've sent an e-mail to Mozilla (security@mozilla.org).
Here is what I sent them:
I'm writing this e-mail in the hope that I could get some answers regarding the Firefox 3.6 vulnerability.
For the past two weeks, I've been reading that there is supposed to be a "zero-day" flaw in Firefox 3.6, reported by Evgeny Legerov(source: http://www.theregister.co.uk/2010/02/18/firefox_ze...)
I've seen many sites taking this "vulnerability" stuff and create unnecessary mud slinging:(.....
It would be great if the Firefox team or rather the Firefox Security team would issue a statement of some kind reassuring their users. At the end of the day, it's bad press that kills a product.
My questions (please note that I'm not a software developer or anything like that:)..I'm just a web user):
1. Why can't Mozilla purchase the Vulndisco software package? I'm aware of the fact that the black hatter guy (Evgeny Legerov) could be using "blackmail" tactics to force everyone to buy his software.
2. Is this a "Windows-only" vulnerability or does it affect the Macintosh and Linux platforms also? I'm a Windows user who is pretty tech savvy:), but I would still like to know how this vulnerability would affect Windows.
3. I've been following up on this issue at this secunia thread:
http://secunia.com/advisories/38608/
Secunia gives it a "Highly Critical" rating. The Firefox Team could approach Secunia and ask them on what basis they have rated this as a "Highly Critical" rating.
I don't expect them to reply to me, but heck it's better than nothing:)...If they do send me a response, I'll post it here.
0puns0r3s
|
|
|
| Was this reply relevant? | | +3 | | | -0 | |
|
|
|
coopa
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
9th Mar, 2010 16:09 |
Score: 4
Posts: 4
User Since: 9th Mar 2010
System Score: N/A
Location: US
Last edited on 9th Mar, 2010 16:09 |
0puns0r3s,
The Mozilla Team already put out a note they were trying to get in touch with the alleged exploit finder with no success.
The problem with buying Vulndisco is that you set a precedent- if Mozilla did it, they would essentially be paying for exploit info. After caving once, how many people do you think would somehow package exploits for sale to Mozilla?
The first source link says XP SP3 and Vista, but there's no way to tell as no one has PoC code.
|
|
|
| Was this reply relevant? | | +2 | | | -0 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
9th Mar, 2010 19:01 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
@ coopa
coopa makes a valid point re > they would essentially be paying for exploit info. Open Source is supposed to allow the free flow of info.
Unfortunate that Mozilla is silent... I have search'd all over Mozilla for just a faint reference to Secunia. IDK Mozilla appears to have acknowledged the reported threat and has no other plans for now?.
Secunia has acknowledged the reported vulnerability and extends the reported vulnerability both credibility and severity.
Kudos to Opera for stepping up and reaching out to Secunia.
thanks to all for keeping this thread active...
No benefit to giving the hatter more press time....but, Secunia users (this user) need to better understand the process. How does a reported issue go from A to B and B with a Cat4. Is it all subjective ? How does any claimed threat get acknowledged and validated and reported and rated by Secunia.
Recall, Opera denied their threat at first and now Opera appears to be taking it seriously. Secunia has a big soapbox. When Secunia speaks ....it does carry weight. Why Mozilla is not hearing....unknown?
Regards to all @ Secunia,
bjm-
|
|
|
| Was this reply relevant? | | +2 | | | -0 | |
|
|
|
Dr Zen
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
9th Mar, 2010 19:33 |
Score: 1
Posts: 8
User Since: 2nd Nov 2009
System Score: N/A
Location: US
|
|
|
|
| Was this reply relevant? | | +1 | | | -0 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
10th Mar, 2010 07:12 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
Hi Dr Zen
Thanks for the informative, thorough helpful post...
@ my post in this thread >
bjm- Mozilla Firefox Unspecified Code Execution Vulnerability
4th Mar, 2010 17:24
[...]The Secunia researchers verify all exploits before issuing advisories.[...]
Emil R. Petersen
Secunia PSI Support
-------------------------------------------------- -----------------------------
@ Dr Zen wrote:
Status: Vendor confirmed, updates available.
~ Where are the updates? I check for updates several times a day. I just checked. No updates available from Mozilla for Firefox.
Regards
bjm-
|
|
|
| Was this reply relevant? | | +0 | | | -0 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
10th Mar, 2010 08:47 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 10th Mar, 2010 09:41 |
@ coopa, bjm- and Dr Zen thanks for the info! We have learnt a lot at this thread!
(unknown source)
@ coopa
coopa makes a valid point re > they would essentially be paying for exploit info. Open Source is supposed to allow the free flow of info.
Unfortunate that Mozilla is silent... I have search'd all over Mozilla for just a faint reference to Secunia. IDK Mozilla appears to have acknowledged the reported threat and has no other plans for now?.
Secunia has acknowledged the reported vulnerability and extends the reported vulnerability both credibility and severity.
Kudos to Opera for stepping up and reaching out to Secunia.
thanks to all for keeping this thread active...
No benefit to giving the hatter more press time....but, Secunia users (this user) need to better understand the process. How does a reported issue go from A to B and B with a Cat4. Is it all subjective ? How does any claimed threat get acknowledged and validated and reported and rated by Secunia.
Recall, Opera denied their threat at first and now Opera appears to be taking it seriously. Secunia has a big soapbox. When Secunia speaks ....it does carry weight. Why Mozilla is not hearing....unknown?
Regards to all @ Secunia,
bjm-
Regarding the Opera Vulnerability, this is what I've learned so far....It was "disclosed" by (Marcin Ressel/Vupen Security) (source: http://www.theregister.co.uk/2010/03/05/opera_vuln...). Keyword here being "disclosed":).....In the case of Firefox, the Vulndisco guys have not "disclosed" the supposed "vulnerability".
Therefore, I still fail to see how Secunia could give a "Category 4 Security Threat" to Firefox without a proper "Proof of Concept" demo!
As a further update, here is the response I received from the Firefox Security Team:
(unknown source)
Hi <my real name here!:)>,
I saw your comment on the blog post as well. I'm sorry, but there is simply no additional information that we have to share that isn't posted there. If and when we learn anything actionable, we will be sure to respond appropriately.
Regards,
Brandon Sterne
Mozilla Security Group
The old google cache page of the Intevydis blog post which I posted a few comments ago appears to be dead. Here is a new cache page by the Russian blackhatter. For those interested, check it out:
http://74.125.153.132/search?q=cache:LTKbp1zuTHwJ:...
I'm posting his entire comments here since this page could also disappear from Google cache:
It seems that a lot of rabbits are speculating about Firefox module which has been released as a part of Vulndisco 9.0.
Honestly we see nothing special about this particular bug, as there are tremendous amount of bugs in every browser. If we were able to find 1 bug in Firefox, highly motivated organized hackers will find 10 bugs, 'security industry' is usually one step behind hackers...
We are not going to explain here why we are developing Vulndisco and how it can be used, but some points about ff module should be explained:
1. first of all, ff exploit is not 'being used in the wild'
2. some morons say that increase of ff crashes is probably 'the exploit being tested' ...no comments
3. fact that there is no 'credible source' who can confirm the existence of ff exploit means nothing
4. fake Vulndisco user 'Mario23' who posted a message to Immunity forum - yet another moron, probably from Mozilla security team
To sum up, as post to mozilla security blog suggests - 'keep browsing with Firefox with confidence'
Posted by Evgeny Legerov at Monday, March 01, 2010
If 1 + 1=2, then.......No proof of concept code, only one person/software module has reported this vulnerability, most of us are firefox users and we've seen nothing unusual, unnecessary FUD and publicity....Then there is nothing (much) to worry about:)....Of course, we do continue to be careful while browsing the web with any browser...That is understood.
Please correct me if I'm wrong.
|
|
|
| Was this reply relevant? | | +1 | | | -0 | |
|
|
|
Dr Zen
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
10th Mar, 2010 17:34 |
Score: 1
Posts: 8
User Since: 2nd Nov 2009
System Score: N/A
Location: US
|
Yeah, I too found out Mozilla has no true update, BUT I did see in one of those threads that disabling Java is a potential workaround for now.... can anyone assist in verifying that?
And you are most welcome. I too find this difficult to fathom. Just hope that one of the members here is not related to that black H A T or IS.
--
Dr Zen
|
|
|
| Was this reply relevant? | | +1 | | | -0 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
10th Mar, 2010 18:07 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 10th Mar, 2010 18:50 |
Hello 0puns0r3 ~ coopa ~ Dr Zen ~ Anthony Wells,
We are at an impasse...? Yes/No?
1) The Secunia researchers verify all exploits before issuing advisories.
Emil R. Petersen
Secunia PSI Support
2) All known publicly reported vulnerabilities are Fixed in:
Firefox 3.6
Firefox 3.5.8
Firefox 3.0.18
Thunderbird 3.0.2
SeaMonkey 2.0.3
3) There is reportedly a working commercial exploit from the
VulnDisco Pack.
4) Secunia researchers verify all exploits before issuing advisories.
5) Technical details for this vulnerability are not available publicly and there are
reportedly no public proof-of-concepts or exploits circulating in the wild.
6) Secunia researchers verify all exploits before issuing advisories.
7) I still fail to see how Secunia could give a "Category 4 Security Threat" to Firefox without a proper "Proof of Concept" demo!
8) I would expect Secunia to comment further on this problem having put out an Advisory on a "muddy" situation , especially if they can confirm the exploit and Mozilla don't seem able .
--------------------------------------------------
re > I run my browsers in a sandbox ("Sandboxie")
Sandboxie has limitations....
Sandboxie cannot always protect from exploits that only require the browser to be actionable. There are exploits that appear as normal browser activity and only require the browser to be actionable. Sandboxie is more effective with exploits that require a app outside the sandbox'd browser to be actionable.
-------------------------------------------------- ---
Impasse & Quandary
bjm-
P.S. to Dr Zen re > Workaround - disabling Java ?
I read:
Disable JavaScript until a version containing these fixes can be installed.
Java and JavaScripts are not the same animal. JavaScripts do not require Java.
~~Until a version containing these fixes can be installed~~
see item 2) All known publicly reported vulnerabilities are Fixed.
I run FF (all ver) with Java and Flash disabled all the time & of course with NoScripts (for JavaScript). I find very limited use for Java & I enable Flash player as required. As I am also Sandbox'd...all enabled revert to disabled upon dumping the sand. I do not allow access to the entire profile.
Cheers
bjm-
Is it time to explore Google Chrome or Opera...?
|
|
|
| Was this reply relevant? | | +0 | | | -0 | |
|
|
|
Anthony Wells
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
10th Mar, 2010 18:58 |
Score: 743
Posts: 1,766
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th Mar, 2010 19:08 |
Hello bjm ,
The question certainly is for me three fold :-
1) if there is no PoC and it's not in the wild , then we don't know if any specific counter measure is directly useful , in this case ;
2) why/how have SEcunia come up with a CAT 4 ; is it a "catch all" super cautious thing ?? ;
3) Will it encourage other hackers to hold people to ransom (so to speak) ??
Regarding "Sandboxie" , for sure nothing is 100% secure (that's why we are here:(( :) . I use it to great effect (for me , that is) as a part of my security set up to look to get "good" safety with ease of access to the surf .
Sandboxie clearly state that they update pretty regularly to cover known vulnerabilities , but at my level of use I am not clear what you mean by "actionable" apps in and out of the box and the problem therein .
If you have time , perhaps you could add some extra detail .
Take care
Anthony
PS: I am running Google Chrome (4.0.x stable) and it sits well alongside Firefox . It has it's own sandbox system and the latest versions also run happily in Sandboxie .
--
It always seems impossible until its done.
Nelson Mandela
|
|
|
| Was this reply relevant? | | +3 | | | -0 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
10th Mar, 2010 21:39 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
Hello Anthony,
quote from http://www.sandboxie.com/index.php?HelpTopics
It should be noted, however, that Sandboxie does not typically stop sandboxed programs from reading your sensitive data.
It is very difficult to reliably detect a key-logger. For a lengthy explanation, see Detecting Key Loggers
http://www.sandboxie.com/index.php?DetectingKeyLog...
http://www.wilderssecurity.com/showthread.php?t=24...
~ knowledgeable sandboxie users know how to tighten up the default sandboxie settings ~ some @ Secunia Forum may have been introduced to sandboxie via this thread....I did not want my posts to infer sandboxie is perfect. I always browse sandbox'd. But, if I happen on a rouge site...sandboxie will not protect me from myself. Posting this on a trusted site. There is a free exchange of data sandbox'd. If I were posting this on a rouge site. There would also be a free exchange of data.
-------------------------------------------------- -------------------
Thanks for the comments about Google Chrome ~ every time I think I'll try Chrome. I read about concerns over Google tracking and privacy.
http://www.srware.net/en/software_srware_iron.php
-------------------------------------------------- ---------------------
just between us (no one else will read this)....do you feel Secunia has accurately reported FF 3.6 vulnerability..
Regards
bjm-
|
|
|
| Was this reply relevant? | | +2 | | | -0 | |
|
|
|
Anthony Wells
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
10th Mar, 2010 22:15 |
Score: 743
Posts: 1,766
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
|
Hi bjm ,
Thank you for the clarification on sandboxes which I understand and at least I feel comfortable I am not missing anything .
You rightly emphasise the "read" possibility and all that entails and that using the FAQ and excellent Forum will help new users to tighten the bolts to make their paranoia squeak . I really am only looking in my case to stop exploits installing or downloading whilst my back is turned :((
As far as Google tracking is concerned , I feel that once you are surfing with any kind of speed or freedom you are anybody's and everybody's and your data is up for grabs to any bidder ; I don't get the impression Google are any better or worse . If you want to worry , think of what the Govt. or your Insurance Co knows about you and how "secure" that data is (not) .
I clean out Ff and Chrome most days with CCleaner after choosing (along with Browser settings) which site data I may want to keep for particular access or arrangement . At the end of the day there is not much left .
As to the handling of the Ff problem , just between you and me , then nobody comes out looking good . We are so used to trusting Secunia (as you have pointed out) and , in general , rightly so : but lets's face it , if you or I can make a mistake then so can anyone ; an unknown ranking rather than CAT 4 would be more understandable to me :)
Take care
Anthony
--
It always seems impossible until its done.
Nelson Mandela
|
|
|
| Was this reply relevant? | | +2 | | | -0 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
11th Mar, 2010 10:19 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 11th Mar, 2010 10:27 |
@ all: Yes, we are at an impasse:)...Before we continue, I am not a hacker:) though I do pick up his posts from google or google cache.....I too hope that you guys are not hackers:).....Our final option: Start an online petition and send it Michelle Baker, the CEO of Mozilla.
@ bjm-Sandboxie is a good tool, but if you practice "safe browsing", there is no need for (more) paranoia:)......
1. Use noscript and disable javascript etc...and allow those for sites which you trust.
2. If you don't visit sites which are breeding grounds for malware (examples: warez sites, keygen, crack sites etc....etc...), half of your online problems vanish:)
3. If you don't click on random popups or ads which say "your computer is infected. Click here to fix or perform a free scan", then another part of your problems vanish:)
My only primary concern: Online banking! For anything that requires you to use your online banking account, I think that for that alone, an alternative browser should be used (more paranoia!:)...However, I did use Firefox to pay my online phone bills and my banking account is intact:) (touchwood!)
Secunia: I still have a lot of respect for you guys and I'm also a user of your PSI tool, but if you do know about the "exploit", please clarify. Otherwise, there is seriously no point having a "CAT 4 rating". How different is your organization from that of the hackers?
If you do have the info, but are willing to share it with only customers who can "pay up", please mention it in the advisory. On the other hand, if you do not have the info, please say so.
Make it clear and do not hide behind fancy jargon. This smacks of irresponsibility and goes against the spirit of Open source software and the free web.
I really don't know whether this is reliable, but the thread at the Immunity forum seems to have been updated:
If it is true, then it seems that the bug occurs if Firefox tries to load a "malformed" PNG File. Quoting the response here:
(unknown source)
Finally, after long borring email contact (and after credit card transfer), I've got the download/license.
I've tried it but it did not work good here. Just FireFox crashes, but the sample code (starting of %system_dir%\calc.exe as far as I understood) did not work... (WinXP SP3, FireFox 3.6) Probably just my tests were incorrect - I dont know, I've tried to contact support-team, but no answere. :(
Just some small infos: The bug occures when firefox tries to (specially? - did not test something else but the one example code) load a malformed PNG file; I do not know PNG format very well, so no further infos here.
Still, you can contact me about the code/PNGs. I'll just answere honest proposals (dont waste my time in any other case - transmutator42 at gmail dot com).
TransMutator
--- Last Edited by TransMutator at 2010-02-08 14:58:14 ---
Forum link here:
https://forum.immunityinc.com/board/thread/1161/vu...
|
|
|
| Was this reply relevant? | | +2 | | | -0 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
11th Mar, 2010 19:17 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 11th Mar, 2010 19:27 |
To Secunia Official
Please explain how Secunia assigns a Cat4 rating. What protocol is used.
I would better understand / trust the rating if I knew whence it came. How it is derived. What checks and balances are at play to ensure accurate vulnerability reporting & rating.
Please explain if Secunia has tested , verified , validated and/or reproduced the Mozilla Firefox Unspecified Code Execution Vulnerability.
--------------------------------------------------
Please clarify the new Relevancy Score system. What prompts > This reply has been minimized due to a negative Relevancy Score. How many thumbs down prompts a post minimization. Is Relevancy Scoring exclusively user based. May Secunia thumb up/down a post. May Secunia minimize a post for cause. So, if I just don't like a user for any reason... all I have to do to...is vote negative.
Very democratic ~ one negative; and any opinion, any contribution, any post is minimized.
Respectfully submitted
bjm-
|
|
|
| Was this reply relevant? | | +4 | | | -4 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
12th Mar, 2010 08:32 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 12th Mar, 2010 08:35 |
@ Secunia: Some of us in this thread have been quite frank with our questions. We came here expecting some sort of reply from you guys. Sadly, we still have not got them.
We could not care much about the negative ratings we get! Heck, none of us trolled...we did our best and we still have not received any kind of answer.
@ all: It's been a pleasure interacting with you guys in this thread. Until we meet again elsewhere:). If there is some kind of update regarding this issue, do not hesitate to share it here. Bye for now.
Just a small piece of news for those interested. Firefox will have an update to the next version "3.6.2". Yes, there will be no 3.6.1. Probably by March 30th or so...So guess that will take a bit of worry from our minds. More details here:
https://wiki.mozilla.org/Releases/Firefox_3.6.2
|
|
|
| Was this reply relevant? | | +8 | | | -6 | |
|
|
|
Secunia Research
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
12th Mar, 2010 13:18 |
Score: 5
Posts: 7
User Since: 16th Feb 2010
System Score: N/A
Location: Copenhagen, DK
|
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
For more information about the "Secunia Vulnerabilities Forum" see:
http://secunia.com/community/forum/thread/show/374...
This page contains some details on the terminology used and ratings:
http://secunia.com/advisories/terminology/
|
|
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
12th Mar, 2010 18:20 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
Hello Secunia
@ Secunia
A vulnerability has been reported in Mozilla Firefox, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code.
The vulnerability is reported in version 3.6. Other versions may also be affected.
@ Secunia
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
@ Secunia
The Secunia researchers verify all exploits before issuing advisories.
Emil R. Petersen
Secunia PSI Support
-------------------------------------------------- ---------------
Since the Mozilla Firefox Unspecified Code Execution Vulnerability has not been updated then the advisory is considered accurate as is - or the posting did not contain sufficient evidence to prove, reproduce, or verify the claim.
Q: How does this user know if the Mozilla Firefox Unspecified Code Execution Vulnerability advisory is accurate - Or - the posting did not contain sufficient evidence to prove, reproduce, or verify the claim.
Q: How does this user reconcile - The Secunia researchers verify all exploits before issuing advisories. The Secunia Research team is comprised of a number of Secunia security specialists, who besides testing, verifying, and validating public vulnerability reports, also conduct their own vulnerability research in various products.
-------------------------------------------------- -----
A) Secunia researchers presumably verified this exploit before issuing the advisory.
B) Secunia researchers presumably tested, verified and validated this exploit and may have conducted their own vulnerability research.
Or,
C) The posting did not contain sufficient evidence to prove, reproduce, or verify the claim.
How does this user know if A, B or C is the scenario.
-------------------------------------------------- ----------------
Secunia asserts that Secunia researchers verify all exploits before issuing advisories.
Secunia asserts that Secunia may not have sufficient evidence to verify the exploit.
Fact: Mozilla Firefox Unspecified Code Execution Vulnerability advisory was issued.
Either Secunia verified the exploit before issuing the advisory - or - Secunia did not verify the exploit due to lack of sufficient evidence.
How does this user know if the exploit was verified or was not verified.
Simple question: How does the user know if the exploit was verified or was not verified.
Respectfully submitted,
bjm-
|
|
|
| Was this reply relevant? | | +5 | | | -7 | |
|
|
|
coopa
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
coopa
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
14th Mar, 2010 01:54 |
Score: 4
Posts: 4
User Since: 9th Mar 2010
System Score: N/A
Location: US
Last edited on 14th Mar, 2010 01:54 |
I can see reporting this when it came out, but the evidence is overwhelmingly against the existence of the vulnerability.
-No use in the wild
-No proof of concept
-The security researcher Evgeny Legerov has deleted his Twitter and blog (one of Secunia's sources, mind you)
-The Firefox team has tried to contact him
-He disclosed the alleged bug as part of a commercial exploit pack, the only 2 posts from customers say the bug does not work
It wasn't irresponsible to list this alleged vulnerability when it came out due to Evgeny Legerov's track record (milw0rm, etc.) but at this point...?
|
|
|
| Was this reply relevant? | | +5 | | | -7 | |
|
|
|
Pink_Freud
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
Pink_Freud
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
14th Mar, 2010 03:52 |
Score: -11
Posts: 8
User Since: 9th Oct 2009
System Score: 100%
Location: N/A
|
(unknown source)
-------------------------------------------------- -----
A) Secunia researchers presumably verified this exploit before issuing the advisory.
B) Secunia researchers presumably tested, verified and validated this exploit and may have conducted their own vulnerability research.
Or,
C) The posting did not contain sufficient evidence to prove, reproduce, or verify the claim.
How does this user know if A, B or C is the scenario.
-------------------------------------------------- ----------------
Secunia asserts that Secunia researchers verify all exploits before issuing advisories.
Secunia asserts that Secunia may not have sufficient evidence to verify the exploit.
Fact: Mozilla Firefox Unspecified Code Execution Vulnerability advisory was issued.
Either Secunia verified the exploit before issuing the advisory - or - Secunia did not verify the exploit due to lack of sufficient evidence.
How does this user know if the exploit was verified or was not verified.
Simple question: How does the user know if the exploit was verified or was not verified.
Respectfully submitted,
bjm-
Very well stated. Simple questions as yet not even remotely addressed....after what, 6 weeks??? 7??? The SILENCE is DEAFENING.....
Meanwhile, in the distance the conspicuous by his absence "black hatter" can be heard bellowing raucously...
http://www.youtube.com/watch?v=xMqHJrdXj0s&feature...
|
|
|
| Was this reply relevant? | | +1 | | | -4 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
14th Mar, 2010 09:48 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 14th Mar, 2010 09:48 |
Secunia: From what all of us at this thread understand:
1. The so-called vulnerability seems to be completely unconfirmed since the hacker reported it.
2. Secunia confirms all "vulnerabilities" and only then gives a rating.
3. This would mean that Secunia has knowledge on how the vulnerability would work. In other words, your organization can "demonstrate" on how this vulnerability would work.
4. If (that's a huge IF) the black hatter's software did detect a vulnerability for real in Firefox and he has sold it to interested groups, then we would hear reports of many Firefox browsers being "hacked" around the world. But so far, we've not heard of any such reports.
5. I'm still using Firefox as my primary browser for casual browsing and also paying my bills online. I've noticed nothing unusual like sudden unexpected crashes or unnecessary freezes. Then again, I also practice safe browsing.
6. Your PSI tool rating says "Insecure-no solution" for Firefox 3.6. Excuse me?
Have you taken the trouble to contact the Mozilla team and confirmed with them before giving such a status to Firefox?
|
|
|
| Was this reply relevant? | | +7 | | | -11 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
14th Mar, 2010 19:06 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 14th Mar, 2010 19:14 |
Open message to all PSI users,
@Secunia
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.
@ Secunia
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
The above Secunia explanation is meaningless, useless double speak;
If we (Secunia) don't update an advisory ....
then the advisory accuracy is "as is" ...or,
the advisory accuracy is "not as is".
Clear as mud!
Oh! and also contradicts Secunia's mission statement.
Regards to all PSI users in this thread!
Respectfully submitted,
bjm-
|
|
|
| Was this reply relevant? | | +2 | | | -5 | |
|
|
|
Pink_Freud
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
Pink_Freud
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
14th Mar, 2010 19:51 |
Score: -11
Posts: 8
User Since: 9th Oct 2009
System Score: 100%
Location: N/A
Last edited on 14th Mar, 2010 20:04 |
(unknown source)For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
For more information about the "Secunia Vulnerabilities Forum" see:
http://secunia.com/community/forum/thread/show/374...
This page contains some details on the terminology used and ratings:
http://secunia.com/advisories/terminology/[/quote]
Thank you for uhhhh...clearing this up! (insert sarcasm emoticon here)
Will there be a statement or announcement of any significant relevancy and/or clarity regarding this issue forthcoming by Secunia and/or Mozilla any time in this millennium ??
Secunia is a terrific program, and I surely cannot complain about it's cost (nil)--but this situation seems ridiculous to me. Can we PLEASE get some relevant information (a workaround, perhaps?) sometime SOON????
Respectfully,
Joe D aka Pink_Freud
|
|
|
| Was this reply relevant? | | +2 | | | -5 | |
|
|
|
Ziff
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
Ziff
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
15th Mar, 2010 03:12 |
Score: -2
Posts: 3
User Since: 8th Feb 2010
System Score: N/A
Location: N/A
|
as a very raw rookie on this stuff, I may be posting inappropriately here, if so tell me.
I was walking out the door mid-afternoon, my Avira had started its daily scan. I was in a hurry so I just clicked to turn it off, but it beeped at me, it had found something. I should have written it down, (as I said I was in a hurry) but it said something about HTML and firefox. On Avira info it said the gremlin was originally identified in 2007, but something had been updated in Feb 2010.
Could this be the fabled Firefox vulnerability?
|
|
|
| Was this reply relevant? | | +0 | | | -2 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
15th Mar, 2010 09:11 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 15th Mar, 2010 09:11 |
@ Ziff: Could you please check your scan log results and see what it found? You could also try asking in the Avira forum. That would be a good idea.
Don't worry! We're also "rookies" here:)
|
|
|
| Was this reply relevant? | | +0 | | | -2 | |
|
|
|
Jesant13
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
Jesant13
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
15th Mar, 2010 14:43 |
Score: -12
Posts: 8
User Since: 10th Sep 2009
System Score: 100%
Location: US
|
(unknown source)From the Mozilla Security Blog:
Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response.
Mozilla takes all reports of security vulnerabilities seriously. As always, if you have information about security issues, please send details to security@mozilla.org.
Lucas Adamski, Mozilla Security
I agree with Mozilla. This report does not provide enough evidence or information in how to fix this "exploit." I like that I'm using a browser whose company takes security vulnerabilities seriously, unlike Microsoft.
Until this report can be confirmed as having significant evidence, I'm not going to worry.
|
|
|
| Was this reply relevant? | | +0 | | | -5 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
15th Mar, 2010 16:06 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
Open message to all PSI users,
@Secunia
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.
@ Secunia
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
The above Secunia explanation is meaningless, useless double speak;
If we (Secunia) don't update an advisory ....
then the advisory accuracy is "as is" ...or,
the advisory accuracy is "not as is".
Clear as mud!
Oh! and also contradicts Secunia's mission statement.
Regards to all PSI users in this thread!
Respectfully submitted,
bjm-
|
|
|
| Was this reply relevant? | | +3 | | | -8 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
15th Mar, 2010 16:07 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
on 12th Mar, 2010 13:18, Secunia Research wrote:
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
For more information about the "Secunia Vulnerabilities Forum" see:
http://secunia.com/community/forum/thread/show/374...
This page contains some details on the terminology used and ratings:
http://secunia.com/advisories/terminology/
Thank you for uhhhh...clearing this up! (insert sarcasm emoticon here)
Will there be a statement or announcement of any significant relevancy and/or clarity regarding this issue forthcoming by Secunia and/or Mozilla any time in this millennium ??
Secunia is a terrific program, and I surely cannot complain about it's cost (nil)--but this situation seems ridiculous to me. Can we PLEASE get some relevant information (a workaround, perhaps?) sometime SOON????
Respectfully,
Joe D aka Pink_Freud
|
|
|
| Was this reply relevant? | | +2 | | | -1 | |
|
|
|
Pink_Freud
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
Pink_Freud
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
15th Mar, 2010 18:55 |
Score: -11
Posts: 8
User Since: 9th Oct 2009
System Score: 100%
Location: N/A
Last edited on 15th Mar, 2010 18:56 |
Hmmm. Seems to be a lot of posts "minimized due to negative relevancy" on this thread. Go ahead and bury your heads in the sand if you wish, but I STRENUOUSLY disagree with the thumbs down "(Un) Reccing Crew".
I'll say it again for those who may have misinterpreted what I previously posted:
Will there be a statement or announcement of any significant relevancy and/or clarity regarding this issue forthcoming by Secunia and/or Mozilla any time in this millennium ??
Secunia is a terrific program, and I surely cannot complain about it's cost (nil)--but this situation seems ridiculous to me. Can we PLEASE get some relevant information (a workaround, perhaps?) sometime SOON????
Respectfully,
Joe D aka Pink_Freud
|
|
|
| Was this reply relevant? | | +2 | | | -9 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
15th Mar, 2010 19:39 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
@ Secunia
This means that if we don't update an advisory, usually within one business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
The above Secunia explanation is meaningless, useless double speak;
If we (Secunia) don't update an advisory ....
then the advisory accuracy is "as is" ...or,
the advisory accuracy is "not as is".
Clear as mud!
Oh! and also contradicts Secunia's mission statement.
Regards to all PSI users in this thread!
Respectfully submitted,
bjm-
|
|
|
| Was this reply relevant? | | +3 | | | -2 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
15th Mar, 2010 19:55 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 15th Mar, 2010 20:09 |
(unknown source)
For your information, we do read every single posting on the "Secunia Vulnerabilities Forum". When we see relevant information we will, to the extend possible, confirm this and, if applicable, update the relevant advisory.
When we see relevant information....relevant information from who/what?
Secunia inhouse specialists verify all reported vulnerabilities before the advisory release....that what Secunia mission statement asserts.
Secunia will only update the relevant advisory if / when Secunia see's relevant information.
Secunia typo~ "to the extend possible" .... I imagine, Secunia meant "to the extent possible"
@Pink Freud
Will there be a statement or announcement of any significant relevancy and/or clarity regarding this issue forthcoming by Secunia and/or Mozilla any time in this millennium ??
IMO ~ NO
Secunia will only update the relevant advisory if / when Secunia see's relevant information.
IMO ~ Since Secunia posted the advisory absent relevant information...why would Secunia consider looking for relevant information now?
Respectfully submitted
This reply will be minimized due to a negative Relevancy Score. I corrected Secunia spelling ~ minimised ~ ;-)
|
|
|
| Was this reply relevant? | | +2 | | | -3 | |
|
|
|
geewhiz
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
geewhiz
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
16th Mar, 2010 00:33 |
Score: -2
Posts: 1
User Since: 10th Jul 2009
System Score: N/A
Location: N/A
Last edited on 16th Mar, 2010 00:33 |
Hello,
I have been watching this thread in keen anticipation of some useful and relevant resolve to this particular issue since the very beginning. I doubt if I can take it anymore.
So I logged in JUST TO ADD MY "THUMBS UP" to several posters who seem to care as much as I do regarding WHAT IS SECUNIA ACTUALLY UP TO with such juvenile and insulting responses to VERY VALID CONCERNS OF PSI USERS such as myself and others...you know who you are.
Unless this the substance of this thread is indicative of what we can come to expect in the future from Secunia - lazy, immaterial, irrevelant, indeed insulting addresses to serious inquiries - there is little here to make one believe that Secunia has given any thought to the integrity of its reputation regarding PSI.
Maybe it is PSI that is truly broken rather than Firefox.
For shame, Secunia...for shame!
"This post will be minimized due to whatever Secunia decides, relevant or not"
(sigh)
|
|
|
| Was this reply relevant? | | +2 | | | -4 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
16th Mar, 2010 20:58 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
@ Forum
Secunia has posted their policy regarding the Forum.
http://secunia.com/community/forum/thread/show/374...
-------------------------------
To any user expecting a response from Secunia... I sadly offer:
You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.
The forum is considered the community's. You will, therefore, not necessarily see any responses nor comments from Secunia Official's.
This means that if a forum post disputes a Secunia Advisory and the advisory is not updated, usually within 1 business day, then the advisory is considered accurate as is - or the posting didn't contain sufficient evidence to prove, reproduce, or verify the claim.
-----------------------------------
So, unless a user is able to post a dispute to a Secunia Advisory that contains sufficient evidence to prove, reproduce, or verify the users disputed claim. You will not see any responses nor comments from Secunia Official's.
Once Secunia issues an Advisory. The Advisory stands....until and unless a user / anyone can prove to Secunia and satisfy Secunia that the Secunia issued Advisory is not accurate as is.
Respectfully submitted
"This post will be minimized relevant or not"
|
|
|
| Was this reply relevant? | | +7 | | | -2 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
17th Mar, 2010 09:08 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 17th Mar, 2010 09:21 |
This has set quite a bad precedent from Secunia since:
1. Mozilla did not consider this as a "vulnerability" since the hacker refused to disclose it. He claimed that anyone could "buy" the vulnerability from him.
2. Secunia have a good reputation with the Security Community. So why would they continue flagging this if they're not sure at all?
3. They report this "vulnerability" as "Mozilla Firefox Unspecified Code Execution Vulnerability". Basically, they're actually admitting that they have no idea about the "code execution" since they've used the word "unspecified"
4. However, they should have made it much more clearer in the advisory.
5. They should have contacted both Mozilla and the hacker and then come to a decision whether this vulnerability does exist or not!
6. Or they could have tested out this vulnerability if possible.
7. So who gains because of this so-called unproved vulnerability?:
a. Rival browsers like Internet Explorer, Opera, Safari, Chrome etc...There is already a lot of FUD like memory hogging, startup, etc..etc..spread about Firefox. This will only add more FUD:(. I did not expect Secunia to do this.
b. More FUD will (continue) to be spread over the internet. People will immediately point out to Firefox 3.6 and say "Mozilla never offered a patch for it. They failed" etc..etc..
(never mind the fact that nobody is sure of this vulnerability! No one would even bother to read this thread)
Like they say in the internets....Epic Fail:)
|
|
|
| Was this reply relevant? | | +5 | | | -2 | |
|
|
|
monsignor
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
monsignor
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
18th Mar, 2010 20:54 |
Score: -8
Posts: 3
User Since: 3rd Apr 2009
System Score: 100%
Location: US
Last edited on 18th Mar, 2010 20:54 |
Perhaps a small fee should be required for PCI; in this way users can legitimately demand more accountability than ..."[he] was reliable in the past for pointing out vulnerabilities."
jerryc
--
-jerryc
|
|
|
| Was this reply relevant? | | +1 | | | -7 | |
|
|
|
millstone
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
18th Mar, 2010 22:18 |
Score: 0
Posts: 1
User Since: 18th Mar 2010
System Score: N/A
Location: NL
Last edited on 18th Mar, 2010 22:18 |
A lot of damage has already been done with this advisory, I imagine. Does Firefox have a damage control team? Something like SAS and Opera put in recently? That worked!
However, in security, silence is golden. This is not the same as security by obscurity.
We should assume that Evgeny Legerov is a Secunia insider. Then he himself could have done the verification.
Probably there is no Firefox vulnerability. That does not mean that there is not a problem now. Everybody has a problem if Secunia says there is. I think correcting a mistaken advisory is not easy, politicaly, if it means admitting an organisational flaw. An escape could be a new Firefox release. Because when there is no attention to an old advisory anymore, then changing it would hurt Secunia less.
Mozilla please bring out a dummy patch for this dummy vulnerability. Should not be too difficult. Weave it in with another fix.
Now is a very inconvenient moment for a problematic Firefox vulnerability (very convenient though for the competition).
Minimization imminent?
|
|
|
| Was this reply relevant? | | +5 | | | -5 | |
|
|
|
azbob
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
19th Mar, 2010 05:39 |
Score: 13
Posts: 2
User Since: 23rd Feb 2010
System Score: N/A
Location: US
Last edited on 19th Mar, 2010 05:39 |
the latest from the Mozilla Security Blog:
Update on Secunia Advisory SA38608
03.18.10 - 08:20pm
Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue. The vulnerability was determined to be critical and could result in remote code execution by an attacker. The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix. Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue. As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience. Alternatively, users can download the current Beta build of Firefox 3.6.2, which contains the fix from here: https://ftp.mozilla.org/pub/mozilla.org/firefox/ni...
|
|
|
| Was this reply relevant? | | +9 | | | -0 | |
|
|
|
0puns0r3s
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
19th Mar, 2010 08:43 |
Score: -5
Posts: 22
User Since: 27th Feb 2010
System Score: N/A
Location: IN
Last edited on 19th Mar, 2010 08:43 |
1. Black Hatter announces a "vulnerability" in the hopes that someone buys his software. He also threatens not to release the vulnerability.
2. All news sites and security sites publicize the story without any confirmation.
3. Mozilla refuses to "pay up".
4. The vulnerability does not seem to affect a lot of people and Mozilla goes ahead and announces that they will release 3.6.2 anyways.
5. Hacker realizes that he is being foolish and releases the code:)
Questions which will remain unanswered:
1. Why did the hacker take a sudden "u" turn and release the vulnerability?
2. Did Secunia have any knowledge of the exploit?
3. Was the whole thing supposed to be a publicity stunt for the hacker's "Vulndisco" software package?
I guess Mozilla will release the code exploit after the update. I'm also assuming that the exploit will work only with user interaction, i.e. clicking on an untrusted link or something like that?
|
|
|
| Was this reply relevant? | | +3 | | | -2 | |
|
|
|
Jesant13
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
19th Mar, 2010 15:49 |
Score: -12
Posts: 8
User Since: 10th Sep 2009
System Score: 100%
Location: US
Last edited on 19th Mar, 2010 15:49 |
I'm glad Mozilla has patched the vulnerability and that they plan on releasing the update on March 30th. Great job guys. :)
|
|
|
| Was this reply relevant? | | +1 | | | -1 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
19th Mar, 2010 16:52 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 19th Mar, 2010 17:01 |
Then I guess this will vindicate Secunia...as having issued an accurate insecure vulnerability from day one.
Question is...if hatter only just released info to Mozilla....How did Secunia get the info weeks ago. I remain confused. OK, now Mozilla will patch because vendor has reproduced threat only because hatter gave it up. So, does Secunia verify, validate, test, reproduce all reported threats prior to issuing an insecure or does Secunia just report them.
What prompted this turn of events....
Funny how all the actors ~ Secunia ~ Firefox ~ the hatter .... are all vindicated now?
Maybe some times all the pieces just fall into place....or maybe some times the pieces have help?
Guess, I'll have continue to blindly trust Secunia (as I did prior to this issue).
Why did it take FF so long to acknowledge?
Why did the hatter resist till now and now is willing to cooperate?
How did Secunia know the threat was valid all along?
Why has no one else previously reported duplicating the vulnerability?
Why has no one reported having an issue with this threat?
This Secunia Cat4....How did Secunia know...Why was Secunia so certain they were reporting an accurate insecure?
Crystal Ball
http://blog.mozilla.com/security/
|
|
|
| Was this reply relevant? | | +6 | | | -0 | |
|
|
|
Secunia Research
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
19th Mar, 2010 17:49 |
Score: 5
Posts: 7
User Since: 16th Feb 2010
System Score: N/A
Location: Copenhagen, DK
|
Our Chief Security Specialist has issued a blog about this at:
http://secunia.com/blog/90/
We will be adding details about the vulnerability to our advisory once Mozilla has issued version 3.6.2. An in-depth Binary Analysis has been issued to our BA customers.
|
|
|
|
|
Pink_Freud
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
19th Mar, 2010 23:09 |
Score: -11
Posts: 8
User Since: 9th Oct 2009
System Score: 100%
Location: N/A
Last edited on 19th Mar, 2010 23:15 |
(unknown source)Then I guess this will vindicate Secunia...as having issued an accurate insecure vulnerability from day one.
Question is...if hatter only just released info to Mozilla....How did Secunia get the info weeks ago. I remain confused. OK, now Mozilla will patch because vendor has reproduced threat only because hatter gave it up. So, does Secunia verify, validate, test, reproduce all reported threats prior to issuing an insecure or does Secunia just report them.
What prompted this turn of events....
Funny how all the actors ~ Secunia ~ Firefox ~ the hatter .... are all vindicated now?
Maybe some times all the pieces just fall into place....or maybe some times the pieces have help?
Guess, I'll have continue to blindly trust Secunia (as I did prior to this issue).
Why did it take FF so long to acknowledge?
Why did the hatter resist till now and now is willing to cooperate?
How did Secunia know the threat was valid all along?
Why has no one else previously reported duplicating the vulnerability?
Why has no one reported having an issue with this threat?
This Secunia Cat4....How did Secunia know...Why was Secunia so certain they were reporting an accurate insecure?
Crystal Ball
http://blog.mozilla.com/security/[/quote]
I can't wait for the movie...
Starring Matt Damon as Mozilla Corp CEO John Lilly, John Malkovich as Evgeny "KGB" Legerov, Edward Norton and Michael Rispoli...
http://www.imdb.com/title/tt0128442/quotes
---------------------------------------------
Mozilla confirms critical Firefox bug
Slates patch for March 30; flaw can't be used in upcoming Pwn2Own hack contest
By Gregg Keizer
March 19, 2010 04:05 PM ET
http://www.computerworld.com/s/article/9173698/Moz...
Computerworld - Mozilla yesterday confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month.
Although the patch won't be added to Firefox before next week's Pwn2Own browser hacking challenge, researchers won't be allowed to use the flaw, according to the contest's organizer.
"The vulnerability was determined to be critical and could result in remote code execution by an attacker," Mozilla acknowledged in a post to its security blog late Thursday. "The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix."
As John Lennon once sang: Strange Days, Indeed. Most peculiar Mama.
ETA: Thank you to those Secunia users who have posted on this "conundrum" --most notably bjm.
This posting will now be minimized due to...... you know the rest.
Respectfully,
Pink_Freud AKA Joe D.
|
|
|
| Was this reply relevant? | | +2 | | | -0 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
20th Mar, 2010 00:32 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 20th Mar, 2010 00:35 |
@ Pink_Freud AKA Joe D.
If my wife is watching, I'll be coming straight home after the meeting... and all this lawyer stuff has got me thinkin', maybe later tonight, if you present me with your briefs, I'll recommend a merger.
Cheers
bjm-
This posting will now be minimized due to......you know the rest.
|
|
|
| Was this reply relevant? | | +2 | | | -3 | |
|
|
|
coopa
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
22nd Mar, 2010 15:31 |
Score: 4
Posts: 4
User Since: 9th Mar 2010
System Score: N/A
Location: US
Last edited on 22nd Mar, 2010 16:40 |
EDIT: Let's be fair, folks. If Secunia had been more open about why the bug had been accepted and Mr. Legerov's track record, we would have had little reason to doubt them.
Giving my post a negative relevancy score - for acknowledging that they were right and expressing my belief that Secunia could have avoided ill will by clarifying the advisory sooner - seems like a sheerly vindictive move.
-------------------------------------------------- -------------------------------
Well, well, well. Secnuia gets the last laugh.
However, I think Secunia could take a couple lessons from this.
-Authors should get a page that shows any and all exploits they are credited with and how those exploits were assigned (e.x. were they verified via PoC? Acknowledgment from vendor? Based on trustworthiness of past exploits?)
-Secunia should publicly acknowledge the context on which an exploit was accepted on the exploit page itself.
This would have done a lot to make Secunia's vulnerability assessment/acceptance process a lot more transparent and would have fostered trust in both Secunia and Mr. Legerov.
In addition, the lack of public comment/acknowledgment did little to boost Secunia's credibility. Just explain what you did in the blog post you made today would have gone a long way in keeping peace.
|
|
|
| Was this reply relevant? | | +1 | | | -1 | |
|
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
bjm-
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
22nd Mar, 2010 18:10 |
Score: 21
Posts: 262
User Since: 9th Mar 2009
System Score: 100%
Location: US
|
@ coopa
Kudos for defending yourself against the faceless thumbs....
Kudos for contributing to the dialog...
I support your comments...
Regards
bjm-
|
|
|
| Was this reply relevant? | | +0 | | | -9 | |
|
|
|
pc.tech1
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
22nd Mar, 2010 20:13 |
Score: 3
Posts: 14
User Since: 13th Feb 2010
System Score: N/A
Location: US
Last edited on 22nd Mar, 2010 20:13 |
- https://wiki.mozilla.org/WeeklyUpdates/2010-03-22#...
WeeklyUpdates/2010-03-22 - "QA and release teams are quickly checking the risk of 1.9.2 patches, to see if we can get 3.6.2 out early this week."
.
--
This machine has no brain.
Use your own.
.
|
|
|
| Was this reply relevant? | | +3 | | | -0 | |
|
|
|
pc.tech1
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
|
|
23rd Mar, 2010 06:25 |
Score: 3
Posts: 14
User Since: 13th Feb 2010
System Score: N/A
Location: US
Last edited on 23rd Mar, 2010 06:25 |
Firefox v3.6.2 released
---
From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
What’s New in Firefox 3.6.2
- http://www.mozilla.com/en-US/firefox/3.6.2/release...
Firefox 3.6.2 fixes the following issues found in previous versions of Firefox 3.6:
* Fixed a critical security issue that could potentially allow remote code execution (see bug 552216).
* Fixed several additional security issues.
* Fixed several stability issues.
Please see the complete list of changes* in this version..."
* https://bugzilla.mozilla.org/buglist.cgi?quicksear...
111 bugs found.
!
--
This machine has no brain.
Use your own.
.
|
|
|
| Was this reply relevant? | | +3 | | | -0 | |
|
|
|
sigV_26
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
sigV_26
|
RE: Mozilla Firefox Unspecified Code Execution Vulnerability |
[-] |
|
|
24th Mar, 2010 05:22 |
Score: -4
Posts: 1
User Since: 27th Nov 2009
System Score: N/A
Location: N/A
|
Totally right man! I wonder how long it takes this lot to catch up and stop scaring naive people. I had 3.6.2 installed in it's beta version up until the recent release however my version (beta) had the issues in question resolved. That didn't seem to trickle through to the good people at Secunia. One wonders how long it takes for them to update their database and what other unfounded threat messages are emanating from this source. Get your act up to speed!
|
|
|
| Was this reply relevant? | | +1 | | | -5 | |
|
|
|
ky331
|
RE: Mozilla Firefox Multiple Vulnerabilities |
|
|
1st Apr, 2010 16:26 |
Score: -1
Posts: 5
User Since: 4th Apr 2008
System Score: N/A
Location: US
Last edited on 1st Apr, 2010 16:26 |
I just implemented the 31 March additional suggestion, to
set the "security.ssl.require_safe_negotiation" preference to "true"
and upon doing so, I can no longer access any secure (https://) sites.
|
|
|
| Was this reply relevant? | | +1 | | | -0 | |
|
|
|
ky331
|
RE: Mozilla Firefox Multiple Vulnerabilities
|
[+] |
|
This reply has been minimised due to a negative Relevancy Score.
|
|
ky331
|
RE: Mozilla Firefox Multiple Vulnerabilities |
[-] |
|
|
1st Apr, 2010 16:28 |
Score: -1
Posts: 5
User Since: 4th Apr 2008
System Score: N/A
Location: US
Last edited on 1st Apr, 2010 16:29 |
(accidental duplication: post deleted by author)
|
|
|
| Was this reply relevant? | | +0 | | | -2 | |
|
|
|
luolimao
|
RE: Mozilla Firefox Multiple Vulnerabilities |
|
|
1st Apr, 2010 21:58 |
Score: 2
Posts: 9
User Since: 26th Sep 2009
System Score: 100%
Location: N/A
Last edited on 1st Apr, 2010 21:58 |
1. forcing SSL authentication has a) seemingly nothing to do with the vulnerabilities and b) breaks SSL websites for a significant number of people
2. the problem here is not firefox: ALL code has an unending number of vulnerabilities, and stating them openly only means that the Mozilla community is patching more vulnerabilities faster; it's not a blight, it's (sort of) a compliment.
3. Updating firefox to 3.6.2 is certainly a good idea, because of all the vulnerabilities (including others not mentioned here)
so why is everyone so mad?
|
|
|
| Was this reply relevant? | | +2 | | | -0 | |
|
|
|
|
You must be logged in to post a comment.
|
|
Customer Area
Need help?
Try CSI
Scan Now
101 views
116 views
