The opinions expressed herein are entirely my own and do not represent the opinions of any other entity with which I am affiliated. Opinions expressed in comments and trackbacks are those of their respective authors and do not necessarily reflect my own point of view.
All works are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
© Copyright 2006-2009 MalwareTeks
Secunia Advisory: SA29029
Some vulnerabilities have been reported in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, or to bypass certain security restrictions.
1) A security issue is caused due to a design error when handling input to file form fields, which can potentially be exploited to trick a user into uploading arbitrary files.
2) An error within the handling of custom comments in image properties can be exploited to execute arbitrary script code in the wrong security context when comments of a malicious image are displayed.
3) An error in the handling of attribute values when importing XML into a document can be exploited to bypass filters and conduct cross-site scripting attacks if these values are used as document content.
The vulnerabilities are reported in versions prior to 9.26.
Solution:
Update to version 9.26.
http://www.opera.com/download/
Provided and/or discovered by:
The vendor credits:
1) Mozilla
2) Max Leonov
3) Arnaud
Original Advisory:
Opera:
http://www.opera.com/support/search/view/877/
http://www.opera.com/support/search/view/879/
http://www.opera.com/support/search/view/880/
Firefox 2.0.0.11 fixed a bug introduced by the 2.0.0.10 update in the <canvas> feature that affected some web pages and extensions.
What’s New in Firefox 2.0.0.11
Release Date: November 30, 2007
Stability Update: This release corrects a compatibility issue with some websites and extensions discovered in Firefox 2.0.0.10.
Earlier Changes: For information about previous changes, please see the Firefox 2.0.0.10 Release Notes.
Firefox 2 Features: For an overview, please see Firefox 2 Features.
Firefox 2.0.0.10 has been released to fix multiple vulnerabilities in the popular open source web browser.
What’s New in Firefox 2.0.0.10
Release Date: November 26, 2007
Security Update: The following security issues were fixed.
MFSA 2007-39 Referer-spoofing via window.location race condition
MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
MFSA 2007-37 jar: URI scheme XSS hazard
Earlier Changes: For information about previous changes, please see the Firefox 2.0.0.9 Release Notes.
Firefox 2 Features: For an overview, please see Firefox 2 Features.
Secunia Advisory: SA27725 Mozilla Firefox Multiple Vulnerabilities
Firefox users should immediately upgrade to 2.0.0.10.
Yesterday while doing my usually rounds which include checking out Digg, is saw a Digg post about Vista blocking Firefox.
Initial reaction, What The …., then I forgot about it as I went back to checking sites and doing some additional research on IE Defender.
So, today here I am, back to what in the world is going on with Microsoft and blocking Firefox. Is there some sort of attempt to keep competing browsers, not running in Windows Protected mode, from accessing the internet? Nope, not even close.
Larry Osterman does a much better job of explaining what is going on, then I ever could. You can read about it in his blog post: Chris Pirillo’s annoyed by the Windows Firewall prompt
Information of how to configure the Windows Firewall, on both XP and Vista, for Firefox can be found in the Mozilla Support Tutorial Configuring Windows Firewall
The 2.0.0.8 release fixed some 200 issues, but accidentally regressed a few things. Most users won’t see any difference or experience any problems, and those 200 fixes make the 2.0.0.8 update very valuable, but you should never have to choose functionality over security.
The specific problems are:
For a list of changes and more information, please review the Firefox 2.0.0.9 Release Notes.
If you are still running Firefox 1.5.0.x, you are highly encouraged to upgrade to the Firefox 2 series as Mozilla ceased supporting Firefox 1.5.0.x in May 2007. Simply choose “Check for Updates…” from the Help menu to begin the upgrade process.
Bad day for Firefox, Opera, and SeaMonkey users. All three browsers received updates today to patch multiple vulnerabilities.
Some vulnerabilities have been reported in Opera, where one vulnerability has an unknown impact and others can be exploited by malicious people to conduct cross-site scripting attacks and to compromise a user’s system.
Opera may launch external email or newsgroup clients incorrectly. This can be exploited to execute arbitrary commands by e.g. visiting a malicious website.
Successful exploitation requires that the user has configured an external email or newsgroup client.
An error when processing frames from different websites can be exploited to bypass the same-origin policy. This allows to overwrite functions of those frames and to execute arbitrary HTML and script code in a user’s browser session in context of other sites.
An unspecified error exists in Opera in combination with Adobe Flash Player 9.0.47.0 and earlier on Mac OS X. No further information is currently available.
The vulnerabilities are reported in all versions of Opera for Desktop prior to version 9.24.
Opera users are urged to update to version 9.24 http://www.opera.com/download/
Some vulnerabilities and a weakness have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, conduct phishing attacks, manipulate certain data, and potentially compromise a user’s system.
Various errors in the browser engine can be exploited to cause a memory corruption.
Various errors in the Javascript engine can be exploited to cause a memory corruption.
Successful exploitation of these vulnerabilities may allow execution of arbitrary code.
An error in the handling of onUnload events can be exploited to read and manipulate the document’s location of new pages.
Input passed to the user ID when making an HTTP request using Digest Authentication is not properly sanitised before being used in a request. This can be exploited to insert arbitrary HTTP headers into a user’s request when a proxy is used.
An error when displaying web pages written in the XUL markup language can be exploited to hide the window’s title bar and facilitate phishing attacks.
An error exists in the handling of “smb:” and “sftp:” URI schemes on Linux systems with gnome-vfs support. This can be exploited to read any file owned by the target user via a specially crafted page on the same server.
Successful exploitation requires that the attacker has write access to a mutually accessible location on the target server and the user is tricked into loading the malicious page.
An unspecified error in the handling of “XPCNativeWrappers” can lead to execution of arbitrary Javascript code with the user’s privileges via subsequent access by the browser chrome (e.g. when a user right-clicks to open a context menu).
Firefox users are urged to update to version 2.0.0.8.
SeaMonkey users are urged to update to version 1.1.5
NOTE: Additional fixes have been added to prevent the exploitation of a URI handling vulnerability in Microsoft Windows.
Thunderbird users are urged to update to version 2.0.0.8. Thunderbird uses the Firefox engine and is susceptible to the same exploits.
Note: (Saturday, 20 October, 2007) Thunderbird 2.0.0.8 has not yet been released.
Update: (Wednesday, 24 October, 2007) Thunderbird 2.0.0.8 release on hold. Possible forth coming release of Firefox 2.0.0.9 to fix bugs introduced in FF 2.0.0.8.
Free for all
By John Leyden
Published Friday 5th October 2007 12:25 GMT
Microsoft has dropped the requirement for Windows XP users to go through Windows Genuine Advantage validation in order to get Internet Explorer 7.
The move, delivered via a software update on Thursday, means even users of pirated copies of Windows can take advantage of Microsoft’s latest browser software. For the rest of us it means avoiding the chore of WGA validation, a test that has been known to go wrong from time to time and is a chore even at the best of times.
IE7 comes bundled with Vista and as an optional update to XP. Dropping WGA checks for IE7 only affects Windows XP users.
Mozilla’s Firefox 2 and Microsoft’s Internet Explorer 7 are vulnerable to a flaw that could allow attackers to steal passwords. Dubbed a reverse cross-site request, or RCSR, vulnerability by its discoverer, Robert Chapin, the flaw lets hackers compromise users’ passwords and usernames by presenting them with a fake login form.
Firefox can automatically enter user names and passwords into login forms of known websites. Because it only notes the domain to which that login data belongs it make it possible for phishers to create their own login form within a page on the same server. The trick is currently being used in at least one page on MySpace.
Firefox 1.5.0.8 is a security and stability update that is part of our ongoing program to provide a safe Internet experience for our customers. We recommend that all Firefox 1.5.0.x users upgrade to this latest version.
Release Date: November 7, 2006
Note: Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. All users are strongly encouraged to upgrade to Firefox 2.
Mozilla.com provides Firefox for Windows, Linux, and Mac OS X in a variety of languages. To get Firefox 1.5.0.8, download it here. For builds for other systems and languages not provided, see the Contributed Builds section at the end of this document.
More Options ...
Categories
Tag Cloud
Blog RSS
Comments RSS
Void « Default
Life 
Earth 
Wind 
Water 
Fire Light
Previous Entries
Last 50 Posts 
Back