Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Firefox patch

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
forgetaboutit45 Firefox patch
Member 24th Feb, 2010 01:57
Ranking: 0
Posts: 1
User Since: 22nd Sep, 2009
System Score: N/A
Location: US
I recently came across an issue with Firefox. I was running version 3.5 at the time. Secunia informed me that I had a security issue with that version. I proceeded to go to the Firefox website and upgrade to the most recent version which is 3.6. I then scanned again and secunia is still telling me that I still have a security issue. I am runnning windows xp home edition with service pack three. All of my xp updates are current.

What to do
DeSamuel

--
DeSamuel

TiMow RE: Firefox patch
Dedicated Contributor 24th Feb, 2010 07:15
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 24th Feb, 2010 09:11
As of 18 Feb Firefox 3.6 is flagged insecure by Secunia - cat.4, SA38608 refers.

See this thread:

http://secunia.com/community/forum/thread/show/358...

This was a third party report, and as of yet has NOT been confirmed by Mozilla, or (as far as I`m aware) verified independently by Secunia.

I downgraded to Ff version 3.5.8, which was indicated as not effected, and as of my last scan 2 days ago, remains secure.

Hope this helps.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
This user no longer exists RE: Firefox patch
Member 24th Feb, 2010 08:42
Hi,
The Secunia researchers verify all exploits before issuing advisories.

Please refer too:
http://secunia.com/research/about/
http://secunia.com/products/corporate/VIF/
Was this reply relevant?
+0
-0
TiMow RE: Firefox patch
Dedicated Contributor 24th Feb, 2010 09:02
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Thanks for clarification, Emil.

For me, it wasn`t clear until now (even referring to your included links).

I had been following the other related thread (as in included link above), and the opinion / reality was still somewhat ambiguous.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
Lee Ving RE: Firefox patch
Member 24th Feb, 2010 15:24
Score: -7
Posts: 6
User Since: 16th Dec 2009
System Score: N/A
Location: N/A
I have version 3.5.8 and still get the incessant warnings you just have to ignore the program. It does this with Flash and few other programs no matter what you do Secunia will never stop warning you. You have to put the programs on the ignore list.
Was this reply relevant?
+0
-0
This user no longer exists RE: Firefox patch
Member 24th Feb, 2010 15:52
Last edited on 24th Feb, 2010 15:54 @Lee Wing
Hi,

ignoring software leaves your system exposed to risk. Only ignore software if you feel the threat is acceptable, or have some special reason not to patch a certain program.

Our flash rules currently work as intended. However, Flash fails to remove older versions of itself, so after patching the insecure version will frequently remain, and be flagged seperately (since the detected version is still present).

If you are running Firefox 3.5.8 you are secure, and the PSI should flag you as such. Does the PSI show "3.5.8" in the version field? If so, please rescan, and you really shouldn't be flagged as insecure.

Hope this helps.
Was this reply relevant?
+0
-0
Lee Ving RE: Firefox patch
Member 24th Feb, 2010 17:24
Score: -7
Posts: 6
User Since: 16th Dec 2009
System Score: N/A
Location: N/A
I stand by my statements. Here are the details:

Flash: from the registry version 10.0.45.2 2 I could find no other versions of Flash.

Firefox: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8

Secunia cannot accept these programs. I know all about the OMG your you won't update argument for not ignoring Flash and Firefox the point is they are updated and if you want to stop the nagging of Secunia you put them in the ignore category. At this point why would I trust that Secunia, all of a sudden finding there is even newer update? It is a case of the "boy who cried wolf." With the constant warnings you end up ignoring secunia altogether. It's a choice of slowly adding programs to the ignore list or ignoring Secunia all the time.
Was this reply relevant?
+0
-0
Anthony Wells RE: Firefox patch
Expert Contributor 24th Feb, 2010 17:48
Score: 2437
Posts: 3,327
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 24th Feb, 2010 17:50
Hello Lee Ving ,

The problem you are facing is not PSI "crying wolf" but more your learning how to interpret the information you get . Believe me , if you have PSI showing an insecure version of Flash , you more than likely have an out of date ActiveX .ocx file in the ..\Macromed\Flash\.. folder , somewhere on your computer ; either on your main drive or in a back up drive or in an i386 folder .


I will give you some basic advice (sorry if you already know) , which may help you explain any problems to us more specifically :-

To help resolve any problem , here are some instructions to help you first of all get the best out of PSI :-

1)use PSI in "advanced" mode ;
2)in the "settings" tab make sure that the box in the first/upper section is NOT ticked in order to have the maximum info available ;
3)tell us in which "tab(s)" your problem programme is located ;
4)in that tab , click on the + in the box at the left end of the programme , the page will expand ;
5)in the expanded page , tell us what is written in the "installation path" ;
6)in the "toolbox" section , lower down , the link "technical details" should confirm the installation path details ;
7)click on the link "open folder" and you will see more details concerning the location of the "problem" .

Posting these details will help the Forum help you , if/when you have a problem .

Run a PSI scan with your "ignore rules" set and then delete them (one at a time if you wish , they are easy to reset using the "toolbox" (steps6/7 above) and using the "ignore program" icon) and run another scan .

Let us know what you find and if you need help dealing wit anything . Flash can be tricksy until you know how to deal with it .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
TiMow RE: Firefox patch
Dedicated Contributor 24th Feb, 2010 17:57
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Are you sure that PSI is not reporting on elements of older versions, that were not fully removed with the latest update. Flash is well known for this, and even offers a downloadable uninstaller to use before updating.

You may have to investigate the file locations to see what you have; or just run the uninstaller, and then re-install flash.

If you click on my name on the left it will list all replies I`ve given. Any one near the top relating to Adobe Flash will give more info.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
Lee Ving RE: Firefox patch
Member 24th Feb, 2010 18:54
Score: -7
Posts: 6
User Since: 16th Dec 2009
System Score: N/A
Location: N/A
I did get rid of Flash 10d.ocx and rescanned Secunia siad there was no change then a few seconds later a pop up said I had one program Fixefox insecure.

the stats on that are:
Technical details about this installation of Mozilla Firefox 3.5.x, you can use this information to determine why the Secunia PSI detected the program and the security state of it.

Version Detected:
3.5.6

Installation Path:
D:\Program Files\Mozilla Firefox\firefox.exe

Last Inspection of Program:
24th Feb. 2010, 17:02 CET

I have version 3.5.8 installed deleting Firefox.exe is not an option. There are no 2 other executable files in the folder the updater and crashreproter Secunia does not see this:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8

I don't see what else can be done I am not going to uninstall Fixefox.

Ok got it just noticed it was the D:\ drive which is Vista I never use Vista so I will just ignore Firefox. secunia is redundant anyway since FireFox alerts me about updates anyway.

Was this reply relevant?
+0
-0
This user no longer exists RE: Firefox patch
Member 25th Feb, 2010 08:41
on 24th Feb, 2010 18:54, Lee Ving wrote:

Version Detected:
3.5.6

Installation Path:
D:\Program Files\Mozilla Firefox\firefox.exe


Hi,

Version 3.5.6, that you appear to have installed, is not secure.
Please refer to: http://secunia.com/advisories/37242

So far, nobody has reported misdirection of Firefox (because the Mozilla dev team upgrade the version numbers of their files), so it's extremely likely that you have not, in fact, applied the update. I have just tried updating from FF 3.5.6 to 3.5.8 via. Mozilla's own updating system, and detection works flawlessly. After updating, please close and reopen firefox.

Alternatively, click the Solution button from the PSI again, and install the patch, or update via. Firefox's build-in update mechanism. Then try a rescan, and you should now have version 3.5.8.

Hope this helps.
Was this reply relevant?
+0
-0
Lee Ving RE: Firefox patch
Member 25th Feb, 2010 16:08
Score: -7
Posts: 6
User Since: 16th Dec 2009
System Score: N/A
Location: N/A
I have Windows XP and Vista installed Secunia was flagging the Vista version. Since I never use Vista I don;t need to update it.

thanks
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability