Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading

Vulnerability Report: Mozilla Firefox 3.6.x

This vulnerability report for Mozilla Firefox 3.6.x contains a complete overview of all Secunia advisories affecting it. You can use this vulnerability report to ensure that you are aware of all vulnerabilities, both patched and unpatched, affecting this product allowing you to take the necessary precautions.

If you have information about a new or an existing vulnerability in Mozilla Firefox 3.6.x then you are more than welcome to contact us.


Table of Contents

1. Product Summary Only

2. Secunia Advisory Statistics (All time)
2.1. Statistics for 2014
2.2. Statistics for 2013
2.3. Statistics for 2012
2.4. Statistics for 2011
2.5. Statistics for 2010
2.6. Statistics for 2009
2.7. Statistics for 2008
2.8. Statistics for 2007
2.9. Statistics for 2006
2.10. Statistics for 2005
2.11. Statistics for 2004
2.12. Statistics for 2003

3. List of Secunia Advisories (All time)
3.1. List for 2014
3.2. List for 2013
3.3. List for 2012
3.4. List for 2011
3.5. List for 2010
3.6. List for 2009
3.7. List for 2008
3.8. List for 2007
3.9. List for 2006
3.10. List for 2005
3.11. List for 2004
3.12. List for 2003

4. Send Feedback
 
Vendor, Links, and Unpatched Vulnerabilities

Vendor Mozilla Foundation

Product Link View Here (Link to external site)

Affected By 21 Secunia advisories
152 Vulnerabilities

Monitor Product Receive alerts for this product

Unpatched 0% (0 of 21 Secunia advisories)

Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied..




Discuss this Product
A new thread in our forum is automatically created for each Product. Activate the thread by commenting/discussing below.
Subject: Mozilla Firefox 3.6.x 
User Message
howiem9999 RE: Mozilla Firefox 3.6.x
Member 20th Mar, 2011 06:11
Score: 2
Posts: 31
User Since: 8th Dec 2008
System Score: 100%
Location: TH
Last edited on 20th Mar, 2011 06:11
SA43550 shows the solution as:
Update to Mozilla Firefox version ......3.6.14 ........

The current version is 3.6.15, so the fixed version must be 3.6.16 or higher.


--
howiem
Was this reply relevant?
+0
-0
Anthony Wells RE: Mozilla Firefox 3.6.x
Expert Contributor 20th Mar, 2011 13:27
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

Secunia and the PSI only tracks for security vulnerabilities and determines and displays the latest patched version ; bug or eye candy fixes are not monitored as such .

Version 3.6.14 contains all the available security patches and the PSI displays it as secure and fully patched . There are no known public vulnerabilities in Firefox atm as I type .

Version 3.6.15 is/was a Java applet bug fix only and so the "latest" secure version remains 3.6.14 ; of course the PSI also displays the 3.6.15 version as fully patched .

Version 3.6.16 is not released .

You can see the changelog and version release notes from within Firefox by using the "Help" dropdown menu and select the "Release notes" option .

Hope that is clear ; if not ask again .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0
IcI RE: Mozilla Firefox 3.6.x
Member 27th Mar, 2011 12:54
Score: 8
Posts: 8
User Since: 13th Jan 2010
System Score: N/A
Location: NZ
Hi.
Fair enough that 3.6.14 was the latest 'secure' version at the time, but it does cause confusion when Secunia reports 'the latest version' as 3.6.14 but on the vendors site there is 3.6.15.

Please make it clear that the version displayed is the most secure secure version. That any later versions are for other fixes, not security.

I believe that if you can avoid a lot of frustration if you manage to make that distinction clear in the interface.

Was this reply relevant?
+0
-0
Anthony Wells RE: Mozilla Firefox 3.6.x
Expert Contributor 27th Mar, 2011 14:27
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello @IcI ,

Secunia's business is validating/publicly displaying programme/app.
vulnerabilities via it's Secunia Advisories and it's CSI for business use . This is unambiguous .

The free , for personal use , PSI checks to see if your prograsmme are the latest , secure , fully patched (as is "normally possible) version "available" and as displayed in their SA's ; those are the known terms Secunia use in their context and need to be read as such .

As already stated bug fix and eye candy updates are neither monitored nor displayed , as such ; hence Mozilla Firefox versions 3.6.14 and 3.6.15 are both fully patched and secure and are both up to date , however , the "latest Ff 3.6.x patch" remains Ff 3.6.14 - Ff3.6.15 was not a "security patch" but a Java app. bug fix . IF their is a known public vulnerability which is "unpatched" for a programme/app it is not shown by the PSI as "insecure" on the results page (such display is not allowed by Secunia , they've been asked many times) ; however for a Browser or an Add-on (only) this is displayed in the "Secure Browsing" Module .

If you have a specific suggestions to improve the understanding of any particular words or phrases in the Secunia Manual or any parts of the PSI's GUI , I'm sure Secunia support will be pleased to hear them .

Take care

Anthony




--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
primordia RE: Mozilla Firefox
Member 6th Apr, 2011 19:55
Score: 1
Posts: 2
User Since: 6th Apr 2011
System Score: N/A
Location: US
The current most secure version of Firefox to date (4/6/2011) is 4.0. Why is it not visible to Secunia PSI when installed and being reported as 3.6.13 and as insecure at that.

PSI is encouraging what would essentially be a downgrade to Firefox 3.6.14 . from Firefox 4.0. Come on, Firefox is arguably the worlds most beloved browser. You would think that if the people at Secunia are serious about their business, they would get upgrades right for such an important item in their scan list.
Was this reply relevant?
+1
-0
Anthony Wells RE: Mozilla Firefox 3.6.x
Expert Contributor 6th Apr, 2011 21:19
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello @primordia ,

You do not say which version of the PSI you are using (right click tray icon->"About") nor on which OS ; which do you have ??

Mozilla currently support 3 separate platforms for Firefox 3.5.x , 3.6.x and 4.0.x ; you update only within a platform and not between platforms . If you are seeing Ff version3.6.13 displayed as insecure then the correct update is to version 3.6.14 , being the last one offering a security patch/update ; later versions are bug fixes and not monitored as such , even though all later versions are displayed when installed .

Which version(s) do you have installed and displayed or not by the PSI ??

What are the detected instance installation path(s) (click the [+] to the lhs of any programme entry) for Ff ??

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
primordia RE: Mozilla Firefox 3.6.x
Member 6th Apr, 2011 23:36
Score: 1
Posts: 2
User Since: 6th Apr 2011
System Score: N/A
Location: US


Hello Anthony,

nicely surprised by your detailed response. I am running Secunia PSI version 2.0.0.3001 on an XP Pro machine.

I installed Firefox 4.0 on a machine already running Firefox 3.6.14, by all other indications the Firefox 4.0 installation process uninstalled or took the place of the 3.6 installation. Firefox 4.0 has been running very well with heavy use since installation, no crashes or errors.

When I run a Secunia PSI scan, it does not at all pick up that Firefox 4.0 is installed. The only indication in the scan results that Firefox is installed is the 3.6.13 version notation in the scan results. The exact and only file path shown is: C:\WINDOWS\ERDNT\cache\firefox.exe, version 3.6.13

looking in XP's add/remove area shows no other versions of Firefox installed, only version 4.0

thanks
Was this reply relevant?
+0
-0
Anthony Wells RE: Mozilla Firefox 3.6.x
Expert Contributor 7th Apr, 2011 00:19
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 7th Apr, 2011 00:24
Hello again ,

It's late for me her (CET) so I'll give you some info and check back tomorrow .

The Ff 3.6.13 file you have found is the ERDNT registry back up folder created by your ERUNT programme . The same problem has been discussed in this rather wandering thread where all the remedies are discussed :-

http://secunia.com/community/forum/thread/show/796...

In summary , this is a back up file for your registry and is not accessible to change using the PSI link to 3.6.14 nor by you directly , neither is it available to the bad guys . Do not use the PSI's update link as this will only reinstall 3.6.14 back over your 4.0 version , which is not something you would wish , I would guess .

The options would seem to be :-

1)click the [+] on the lhs of the programme and to the left of the "detected instance" are two yellowish folder icons ; clicking
a) the one without the red blob should "open the folder" where the Firefox.exe file is , see if you can highlight and delete it : or
b) the one with the red blob will offer to set an ignore rule for the Ff file and the PSI will no longer scan or display the problem .

2)run your ERUNT programme to update itself ; obviously do not run the programme to restore the Registry , that could cause untold chaos .

3)if 1)a) does not work and you would still wish to remove the offending file , if you have any software on your machine that will get at locked files then look at what "troothteller" did late on in the linked thread .

I was surprised in that thread and in your post that you both say Ff4.0 is not listed in the "Scan Results" ; the "insecure" Ff 3.6.13 will be at the top of the page but.4.0 should still appear alphabetically as Mozilla Firefox 4.0.x (as it does for me) and equally in the "secure browsing" module (link top left in "Patch your PC" any PSI page) . Whatever , do not do any reinstalling of Firefox , it's a PSI display problem only and not serious , merely annoying .

EDIT ; to correct the display you may need to reboot and run a full scan .

Will be back "sometime" tomorrow .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
JeremyH RE: Mozilla Firefox 3.6.x
Member 13th Feb, 2012 17:52
Score: 0
Posts: 3
User Since: 13th Feb 2012
System Score: N/A
Location: US
Last edited on 13th Feb, 2012 17:52
So here's a general clarification question. This issue says it applies to FF versions 3.6.x, my assumption is it's only impacting those versions. Previous version, for example 3.5.6 would not be impacted by this particular vulnerability right?
Was this reply relevant?
+0
-0
ddmarshall RE: Mozilla Firefox 3.6.x
Dedicated Contributor 13th Feb, 2012 18:29
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
It's impossible to deduce which vulnerability you are referring to if you post here.

The Firefox 3.5 advisories are listed here:
http://secunia.com/advisories/product/25800/?task=...

Firefox 3.5 is no longer supported by Mozilla so vulnerabilities may not be notified.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+2
-0

tgthyu

RE: Mozilla Firefox 3.6.x
[+]
This reply has been deleted

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability