Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: PSI 1.5.0.1 detects vulnerability

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Mozilla Foundation
And, this specific program:
Mozilla Firefox 3.6.x

This thread has been marked as locked.
Dr Zen PSI 1.5.0.1 detects vulnerability
Member 23rd Feb, 2010 14:41
Ranking: 1
Posts: 8
User Since: 2nd Nov, 2009
System Score: N/A
Location: US
This has been going on for a week or so now, that Secunia reports this browser as vulnerable SA38608. Dialog states " Mozilla Firefox 3.6.x (Assessment: Not secure for browsing, at least 1 critical attack vector exists when using this browser)"

Yet in the advanced view the dialog is "This installation of Mozilla Firefox 3.6.x was detected as being patched. Firefox 3.6x is located in my OS correct path XX:\Program Files\Mozilla Firefox\firefox.exe

The Secunia PSI has not detected any missing security related patches for this program. No further actions are currently needed. " Would like some assistance as to whether 3.6 Firefox is vulnerable or not!

Thanks

--
Dr Zen

This user no longer exists RE: PSI 1.5.0.1 detects vulnerability
Member 23rd Feb, 2010 14:47
Hi,

The Insecure tab only shows programs with patchable exploits. Since the Firefox 3.6.x exploit is not yet patched, it isn't shown as "Insecure", since there is nothing our users can do to remedy the problem.

The Secure Browsing tab shows even unpatched exploits, because browsing with an insecure browser exposes you to additional risk. You can then decide whether or not to use the browser, depending on the severeness of the security problem.

Hope this helps.
Was this reply relevant?
+0
-0
metaed RE: PSI 1.5.0.1 detects vulnerability
Member 23rd Feb, 2010 22:42
Score: 1
Posts: 109
User Since: 11th Feb 2009
System Score: 100%
Location: US
If I understand this right, an insecure browser with no patch available is not listed as insecure, and is as listed as Patched, because the user has no recourse before a patch is available.

If so, (i) it is misleading, and (ii) a user can still choose to uninstall the program, so it is also untrue.

What about non-browser software? If a vulnerability is discovered in any software, is the insecure software listed as Patched until a patch is available, then moved to Insecure?

I very much want to be alerted to my system's vulnerabilities so that I can make the best choice available to me at the time. I do not see how this can happen unless insecure software is listed as Insecure.

--
Sometimes they fool you by walking upright.
Was this reply relevant?
+0
-0
Anthony Wells RE: PSI 1.5.0.1 detects vulnerability
Expert Contributor 23rd Feb, 2010 23:23
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello metaed ,

The Secunia statement is hardly news/ground breaking unless you are a newby to PSI .

If so , the role of each tab "insecure" , "eol" , "patched" and secure browsing" is clearly spelt out in the preamble at the top of each tab which clears any ambiguity about how one may translate the English terminology and what may appear in the tab .

Secunia does not check for software updates updates but for "vulnerabilities" , it clearly describes any found in the Secunia Advisories and you can elect to have them emailed to you on a regular basis about any/all software .

PSI provides information for you to decide your action , what you do will depend on your competence , your paranoia and perhaps your need for help from the Forum .

Adding more tabs , complications , expense would not be my choice ; but then again I don't know what plans Secunia nave for PSI and us .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
This user no longer exists RE: PSI 1.5.0.1 detects vulnerability
Member 24th Feb, 2010 08:35
Last edited on 25th Feb, 2010 14:12 Hi,

Anthony is, of course, correct. The proper way to be notified on all security problem is to subscribe to our advisories.

The PSI is intended for home users. Most home users will not have any use for problems they can't patch. Our commercial product however, the Secunia CSI, does allow you to list even insecure programs without patches.

Hope this helps.

Was this reply relevant?
+0
-0
Pcfreakske2000 RE: PSI 1.5.0.1 detects vulnerability
Member 28th Feb, 2010 13:18
Score: 2
Posts: 4
User Since: 22nd Dec 2007
System Score: 100%
Location: BE
Indeed, I also get the message in Secunia PSI.
I hope the fix the problem soon.

I updated the Secunia PSI to the newest version.


--
Greetings,

Pcfreakske2000
Was this reply relevant?
+0
-0
This user no longer exists RE: PSI 1.5.0.1 detects vulnerability
Member 1st Mar, 2010 08:58
on 28th Feb, 2010 13:18, Pcfreakske2000 wrote:
Indeed, I also get the message in Secunia PSI.
I hope the fix the problem soon.

I updated the Secunia PSI to the newest version.


You don't need to update to 1.5.0.1 unless you want the language extension (we added 42 new languages). There is no other functionality change between the versions (no bug fixes, etc).

Hope this helps.
Was this reply relevant?
+0
-0
Dr Zen RE: PSI 1.5.0.1 detects vulnerability
Member 2nd Mar, 2010 19:21
Score: 1
Posts: 8
User Since: 2nd Nov 2009
System Score: N/A
Location: US
Ok, see that I started a Fire with this question. Anyway, I was noticing errors in Admin tools on Vista 32bit OS. Uninstalled 3.6x and moved back to 3.5x and Secunia lists it as no security problems.

Whether Secunia is right with 3.6x remains unclear...but I err on the side of the least confusion.

I will not add here to this thread again unless there is some overwhelming issue I need to flesh out.

Once again, sorry for getting so much to this thread and the bandwith that it has used... c'ya!

--
Dr Zen
Was this reply relevant?
+0
-0
bjm__ RE: PSI 1.5.0.1 detects vulnerability
Member 2nd Mar, 2010 20:02
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 2nd Mar, 2010 20:05
Hi Dr Zen
So, you err on the side of least confusion...wise option. ;-)
Have you considered that FF3.6 fixed known security vulnerabilities in FF previous versions.
FF3.6 vs. FF3.5.8
FF3.6 reported as insecure (running 3.6)
FF3.5.8 reported as secure
If I revert to 3.5.8 then I have the Security Vulnerabilities in 3.5.8 that were fixed in 3.6
I'm at a loss to understand why Secunia reports FF3.5.8 as secure when FF3.6 fixed known security issues in 3.5.X
http://www.mozilla.org/security/known-vulnerabilit...
Regards
bjm-
If FF3.5.X is more secure (as per Secunia) compared to FF3.6. Then why would FF3.6 include security fixes for known vulnerabilities in prior versions.
I remain uncertain & confused as to which FF ver to run....
Was this reply relevant?
+0
-0
Anthony Wells RE: PSI 1.5.0.1 detects vulnerability
Expert Contributor 3rd Mar, 2010 00:07
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello bjm ,

Using your link to the Firefox Advisory for 3.6 , at the top of that page is a pale blue link "Known Vulnerabilities in Mozilla Products" ; if you click on it you get Firefox Advisories centre page ; click on 3.5 and you will get 3.5.8 security updates at the top ; to my eye they are identical to those shown for 3.6 . So from a security update point of view both seem to be similarly updated . So the real question , for me , is whether 3.6 really is insecure as suggested in the Secunia Advisory .

Hope this helps .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
bjm__ RE: PSI 1.5.0.1 detects vulnerability
Member 3rd Mar, 2010 17:20
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Good day Anthony W
re > to my eye they are identical to those shown for 3.6 .
The updates may be identical or the updates may be tweaks to the same vulnerabilities.
While I have no basis for a Secunia false insecure....I am hesitant to go back to 3.5.X
If 3.6 is insecure...I fail to see why 3.5 would be secure.
Mozilla has always been quick to respond to reported known vulnerabilities.
As to whether 3.6 really is insecure as suggested in the Secunia Advisory.
I can only hope 3.6 is secure... but, I also hope Mozilla responds with info. Otherwise, this FF insecure will be similar to the IE ever present insecure.
Nice to visit with you
bjm-
Was this reply relevant?
+0
-0
Anthony Wells RE: PSI 1.5.0.1 detects vulnerability
Expert Contributor 3rd Mar, 2010 17:34
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello bjm ,

I think we are following the same logic , including what else did 3.6. fix/improve security wise that was in 3.5.x.

What really gets me is this Russian black hat selling a "possible" hack which has had no "reliable" follow up/categorical truth anywhere since & to my "eye" again that includes Secunia and Mozilla .

I'm running 3.6. , but again I also use "sandboxie".

Hope all is well with you .

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Dr Zen RE: PSI 1.5.0.1 detects vulnerability
Member 8th Mar, 2010 01:59
Score: 1
Posts: 8
User Since: 2nd Nov 2009
System Score: N/A
Location: US
Hey it is me again! Goodness my mailbox is filling up with responses to this thread. But it is all good.

I stated last time that I would not be back here unless some compelling reason. Well, not that compelling... Anyway, I found the following thread on Mozilla
blog.mozilla.com/security/2010/02/22/secunia-advis ory-sa38608/ which was posted apparently by Lucas Adamski, Mozilla Security. I am not going to rehash it here... you all can read; I know that for a fact.

As well, linked to the above article were these threads... again read for your self. Bit, from my read it appears that a product "VulnDisco 9.0" is involved.


But, according to the article "...Sebastian Klipper says: [on] 22.02.2010 at 15:07

Secunia CSO Thomas Kristensen now told me the following:... go to this page
blog.psi2.de/en/2010/02/20/going-commercial-with-f irefox-vulnerabilities/comment-page-1/#comment-685 and read it for yourself... short so no worries about getting bogged down... RIGHTTTT!!!

I left a message there that says the following "Well? what is the current analysis. Lots of people are talking about this issue on Secunia forum... Waiting here. Give us some latest info. This IN PART is making Secunia appear to be "lacking". I and others depend on Secunia and FF... Update up please."

Ok, not back to my life; such as it is.

--
Dr Zen
Was this reply relevant?
+0
-0
Dr Zen RE: PSI 1.5.0.1 detects vulnerability
Member 10th Mar, 2010 17:35
Score: 1
Posts: 8
User Since: 2nd Nov 2009
System Score: N/A
Location: US
This thread is also continued at
http://secunia.com/community/forum/thread/show/358...

--
Dr Zen
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability