Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Firefox 3.6.3 insecure

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Mozilla Foundation
And, this specific program:
Mozilla Firefox 3.6.x

This thread has been marked as locked.
Gwendo Firefox 3.6.3 insecure
Member 29th May, 2010 17:53
Ranking: 0
Posts: 3
User Since: 14th Sep, 2009
System Score: N/A
Location: N/A
Up until today....PSI 1.5.0.1 showed Firefox 3.6.3 as secure...I downloaded PSI 1.5.0.2 and it now shows Firefox 3.6.3 as insecure re: SA39925..but there is no actual solution. It is detected as being patched but shows as insecure with no actual solution. No patch solution is available that I can tell.
Location:
C:\ProgramFiles (x86)\Mozilla Firefox\firefox.exe

Is this related to the latest "Tabnapping"....URL redirect/site cloning problems (that appear when you temporarily leave one tab (minimize) and go to another, then return to your tab that you believe is secure but it has been hijacked/cloned while you left it) written about by Aza Raskin Mozilla Firefox lead in a blog post this week? Is this why 3.6.3 is listed as insecure? I have re-scanned several times and get the same thing. I checked and I have the latest Firefox version and udpates. I feel Firefox is safest. using No Script ..don't and won't use dangerous IE and I see problems with Opera and others. What should I do?



TiMow RE: Firefox 3.6.3 insecure
Dedicated Contributor 29th May, 2010 18:04
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 29th May, 2010 18:06
Hi Gwendo

The Firefox insecurity is coincidental to the PSI upgrade.

I can't answer your Q. in your 2nd para, but if you go to the Secure Browsing tab (Advanced mode), you will see that it is only cat.2 threat. If you click on the blue SA number on the right, this will take you to the Secunia Advisory for more info.

Until Mozilla issue a vendor patch (update) you should employ save browsing practices until that time, when using Ff.

TiMow

EDIT: AS of now the latest Chrome shows as secure.

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
GoneToPlaid RE: Firefox 3.6.3 insecure
Member 29th May, 2010 18:59
Score: 5
Posts: 71
User Since: 1st Apr 2009
System Score: 100%
Location: Atlanta, US
Last edited on 29th May, 2010 18:59
on 29th May, 2010 17:53, Gwendo wrote:
Is this related to the latest "Tabnapping"....URL redirect/site cloning problems (that appear when you temporarily leave one tab (minimize) and go to another, then return to your tab that you believe is secure but it has been hijacked/cloned while you left it) written about by Aza Raskin Mozilla Firefox lead in a blog post this week? Is this why 3.6.3 is listed as insecure? I have re-scanned several times and get the same thing. I checked and I have the latest Firefox version and udpates. I feel Firefox is safest. using No Script ..don't and won't use dangerous IE and I see problems with Opera and others. What should I do?


Hi Gwendo,

No, this isn't related to that particular threat. In this case the issue occurs if another tab's URL contains any sensitive information. You know, the extra stuff attached to the URL like "https://www.mybankname.com/?user=loginname" and such. The information appended to the URL (after the ".com/" part) in my example could be grabbed by another browser tab which was crafted to deliberately crash.

This particular threat is relatively minor since usually there isn't any really sensitive information appended to the URLs in other browser tabs. Exceptions would be a URL for a tab which includes a SessionID string or login information such as your user name.

The simple solution until this bug is fixed is to make sure that any other open browser tabs are for web sites which you trust when you are doing online banking or making an online purchase in another tab. If you are really paranoid then you could simply close all other tabs before you start doing sensitive stuff like online banking or making an online purchase.
Was this reply relevant?
+2
-0
Gwendo RE: Firefox 3.6.3 insecure
Member 29th May, 2010 19:16
Score: 0
Posts: 3
User Since: 14th Sep 2009
System Score: N/A
Location: N/A
TiMow:
Yes, thank you. Had read the SA 39925 prior and am indeed doing safe browsing as best I can with various security functions...but was just hoping there was some actual patch that I somehow missed. Appreciate the advice.
Was this reply relevant?
+0
-0
Gwendo RE: Firefox 3.6.3 insecure
Member 29th May, 2010 19:24
Score: 0
Posts: 3
User Since: 14th Sep 2009
System Score: N/A
Location: N/A
GoneToPlaid:
Thank you. Good common sense.....I generally watch carefully what's open, minimized and whether I trust any sites for which I have tabs minimized. I try to carefully check URL's. Have several security filters, especially on financial sites I visit, so I should be okay for now. Was just hoping there might be an actual patch that I somehow missed. I am not a techie, but try to watch my back everywhere with (what I would categorize as) my intermediate "newbie" knowledge (or lack thereof).....appreciate the comments. I just keep on asking questions and learning.
Was this reply relevant?
+0
-0
GoneToPlaid RE: Firefox 3.6.3 insecure
Member 29th May, 2010 19:26
Score: 5
Posts: 71
User Since: 1st Apr 2009
System Score: 100%
Location: Atlanta, US
Hi Gwendo,

Hehe. Asking lots of questions is the best way to learn. It works for me!
Was this reply relevant?
+0
-0
Anthony Wells RE: Firefox 3.6.3 insecure
Expert Contributor 31st May, 2010 19:41
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello Gwendo ,

If you are worried about banking security you may or again may not want to check out the two links i posted in this thread :-

http://secunia.com/community/forum/thread/show/423...

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer