PDA

View Full Version : Firefox updates



AplusWebMaster
2006-10-25, 03:26
FYI...

- http://www.mozilla.com/firefox/

Release Notes:
- http://www.mozilla.com/firefox/2.0/releasenotes/

Features:
- http://www.mozilla.com/firefox/features.html


:bigthumb: :spider:

AplusWebMaster
2006-10-25, 18:11
"Will v.1.5.0.7 update itself to v.2":

- http://forums.mozillazine.org/viewtopic.php?t=478805
Posted: Oct Wed 25th 2006 5:16am
...I am still with 1.5.0.7 and I want to ask you If it will update itself to version 2 or I have to download it?
Posted: Oct Wed 25th 2006 5:25am
In a few days 1.5.0.8 will be released that will let you have the choice of either staying with 1.5 or Updating to 2.0 see http://forums.mozillazine.org/viewtopic.php?t=476975 ..."

- http://forums.mozillazine.org/viewtopic.php?t=477283
"What's fixed?
-Memory leaks
-Searching a page now searches within text fields
Questions...
-Does Firefox 2.0 still support Windows 98?
Yes. Firefox 3.0 is the release that is planned to drop support for Windows 98..."

Firefox Product Release Roadmap
- http://wiki.mozilla.org/ReleaseRoadmap

.

AplusWebMaster
2006-11-02, 22:30
FYI...

- http://www.infoworld.com/article/06/11/02/HNmozillatofixbug_1.html
November 02, 2006
"A second minor bug found in the Firefox 2.0 Web browser will be fixed, but users shouldn't encounter much of a problem in the mean time, a Mozilla official said Thursday. The browser will crash if it visits a Web page that been intentionally coded with JavaScript in such a way as to target the bug, said Tristan Nitot, director of European operations for Mozilla. "It's very unlikely that anyone would have put a similar page on any ordinary Web page," so users shouldn't be affected, Nitot said. The problem can't be used to steal data from a computer, he added. It's the second bug that's been found in Firefox 2.0 since its release on Oct. 24. The first bug also causes the browser to hang or crash when a very large document is loaded into an iframe -- an HTML (Hypertext Markup Language) element -- using JavaScript. The new bug will eventually be fixed. "We will fix it because we need reliability," Nitot said..."
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5633
Last revised: 11/2/2006
"...NOTE: the original Bugtraq post mentioned that code execution was possible, but followup analysis has shown that it is only a null dereference..."

:blink:

AplusWebMaster
2006-12-20, 10:31
FYI...

> http://forums.spybot.info/showthread.php?p=58933


:spider:

AplusWebMaster
2007-02-23, 21:59
FYI...

v2.0.0.2
- http://en-us.www.mozilla.com/en-US/firefox/all.html

v1.5.0.10
- http://en-us.www.mozilla.com/en-US/firefox/all-older.html

What's New
- http://www.mozilla.com/en-US/firefox/2.0.0.2/releasenotes/

Security Updates
- http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
MFSA 2007-05 XSS and local file access by opening blocked popups
MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
MFSA 2007-03 Information disclosure through cache collisions
MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

("Auto-update/Check for update" are currently unavailable but will be soon.)

AplusWebMaster
2007-02-24, 01:16
The "Check for updates" feature is now working (did mine minutes ago - YMMV):

While in the browser, go to >Help >Check for updates

...and that's about it! You're done!


:cool:

AplusWebMaster
2007-02-26, 14:14
FYI...

- http://secunia.com/advisories/24205/
Release Date: 2007-02-24
Last Update: 2007-02-26
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 1.x, Mozilla Firefox 2.0.x ...
Solution: Update to version 2.0.0.2 or 1.5.0.10..."

v2.0.0.2
- http://en-us.www.mozilla.com/en-US/firefox/all.html

v1.5.0.10
- http://en-us.www.mozilla.com/en-US/firefox/all-older.html

:fear:

AplusWebMaster
2007-02-28, 04:25
Opps... they "forgot" to include this one on their original list of "fixed" vulns:

Mozilla Foundation Security Advisory 2007-08
- http://www.mozilla.org/security/announce/2007/mfsa2007-08.html
"Title: onUnload + document.write() memory corruption
Impact: Critical
Announced: February 25, 2007 ...
Fixed in:
Firefox 2.0.0.2
Firefox 1.5.0.10
SeaMonkey 1.0.8 ..."

(Also now listed here):
- http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.2

:oops:

AplusWebMaster
2007-03-06, 15:28
Another fix not previously listed:

Mozilla Foundation Security Advisory 2007-09
- http://www.mozilla.org/security/announce/2007/mfsa2007-09.html
Title: Privilege escalation by setting img.src to javascript: URI
Impact: Critical
Announced: March 5, 2007 ...
Fixed in:
Firefox 2.0.0.2
Firefox 1.5.0.10
SeaMonkey 1.1.1
SeaMonkey 1.0.8
Description: ...The fix for MFSA 2006-72 in Firefox 1.5.0.9 and Firefox 2.0.0.1 introduced a regression that allows scripts from web content to execute arbitrary code by setting the src attribute of an IMG tag to a specially crafted javascript: URI. The same regression also caused javascript: URIs in IMG tags to be executed even if JavaScript execution was disabled in the global preferences... Thunderbird is not affected by this flaw as it will not execute javascript: URIs in IMG tags.
Workaround: Upgrade to a version containing the fix. Disabling JavaScript does not protect against this flaw..."

.

AplusWebMaster
2007-03-21, 01:21
FYI...

"Check for Updates" (now available):
From an admin account, open the Firefox browser, go to >Help >Check for Updates ...

Download sites:
v2.0.0.3
- http://en-us.www.mozilla.com/en-US/firefox/all.html
v1.5.0.11
- http://en-us.www.mozilla.com/en-US/firefox/all-older.html
What's New
- http://www.mozilla.com/en-US/firefox/2.0.0.3/releasenotes/

Description of Release
- http://wiki.mozilla.org/Firefox:1.5.0.11-2.0.0.3:Test_Plan#Description_of_Release
"This release is to address several regressions that were discovered in the Firefox 2.0.0.2/1.5.0.10 release."

.

AplusWebMaster
2007-05-30, 15:48
FYI...

- http://preview.tinyurl.com/2mfox3
May 29, 2007 (Computerworld) - "Mozilla Corp. will issue the last security update for its open-source Firefox 1.5 browser today (Wednesday). It will include an automatic update mechanism to give users the option of upgrading to the newer Firefox 2.0... Today's Firefox 1.5.0.12 will be the final security patch for the 18-month-old browser. Also due for delivery is Firefox 2.0.0.4... Firefox 2.0.0.4 will be posted here*, while Firefox 1.5.0.12 will be available from this page** of the Mozilla site. A list of the vulnerabilities*** patched by both updates will be posted sometime after 2.0.0.4 and 1.5.0.12 go live..."

* http://www.mozilla.com/en-US/firefox/all.html

** http://www.mozilla.com/en-US/firefox/all-older.html

*** http://www.mozilla.org/projects/security/known-vulnerabilities.html

.

AplusWebMaster
2007-05-31, 03:42
FYI - Firefox updates released...

Use "Check for Updates" from an Admin account (>Help >Check for Updates... )
-or-

Download v2.0.0.4:
- http://www.mozilla.com/en-US/firefox/all.html
Download v1.5.0.12:
- http://www.mozilla.com/en-US/firefox/all-older.html

Fixes:
- http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

-------------------------------------------------------------------
Support for Mozilla Firefox 1.5 Extended Until Mid-May
- http://www.mozillazine.org/talkback.html?article=21543
April 24th, 2007

Release Schedule
> http://wiki.mozilla.org/Firefox:1.5.0.12-2.0.0.4#Release_Schedule
22 May 2007

.

AplusWebMaster
2007-07-03, 03:26
FYI...

- http://blog.mozilla.com/webdev/
"June 30, 2007 - The download controller was modified on Thursday to prepare for the release of the 1.5.0.12 -> 2.0.0.4 major update..."

...which was made available Sunday 7.1.2007.


.

AplusWebMaster
2007-07-18, 14:02
FYI...

- http://isc.sans.org/diary.html?storyid=3161
Last Updated: 2007-07-18 05:46:09 UTC - "Earlier today, Mozilla Firefox 2.0.0.5 was released which has a number of bug fixes including a couple of privacy related bugs and a few security related ones. Mozilla's Forum* show many of the details of these fixes for those that would like to peruse until the release notes** are updated. You can download the newest version from mozilla.com or through its automated update facility."

* http://forums.mozillazine.org/viewtopic.php?p=2965188&sid=9470fada0720570af2cc87b842eccaae

Fixed in Firefox 2.0.0.5
** http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.5

Download:
> http://www.mozilla.com/en-US/firefox/all.html

------------------------------

- http://secunia.com/advisories/26095/
Release Date: 2007-07-18
Critical: Highly critical
Impact: Cross Site Scripting, Spoofing, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 2.0.0.5...

- http://secunia.com/advisories/25984/

.

AplusWebMaster
2007-07-18, 18:21
> http://www.mozilla.org/security/announce/2007/mfsa2007-23.html
"...Note: Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer."
------------------------------

- http://www.us-cert.gov/current/#multiple_vulnerabilities_in_mozilla_firefox
July 18, 2007

:fear:

AplusWebMaster
2007-07-18, 23:48
FYI...

- http://preview.tinyurl.com/ytjep2
July 18, 2007 - (Mozilla Security Blog) - "Firefox 2.0.0.5 is now available and there is a fix for the URL protocol handling issue... We warned that other Windows applications may be vulnerable to this Internet Explorer issue, and on Sunday Nate Mcfeters, Billy Rios, and Raghav Dube posted a proof of concept that demonstrates the same attack through Internet Explorer to execute code in Trillian. Additionally, Thor Larholm says*..."

* http://larholm.com/2007/07/18/firefox-fixes-internet-explorer-flaw/
July 18, 2007 - "... I can still automatically launch a wide range of external applications from Internet Explorer and provide them with arbitrary command line arguments. AcroRd32.exe (Adobe Acrobat PDF Reader), aim.exe (AOL Instant Messenger), Outlook.exe, msimn.exe (Outlook Express), netmeeting.exe, HelpCtr.exe (Windows Help Center), mirc.exe, Skype.exe, wab.exe (Windows Address Book) and wmplayer.exe (Windows Media Player) - just to name a few. I can categorically deny that this flaw has been fixed in Internet Explorer. Nicolas Robillard even detailed this flaw back in 2004 and it has remained unpatched since long before then..."

.

AplusWebMaster
2007-07-31, 04:22
FYI...

Firefox v2.0.0.6 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-
Download:
> http://www.mozilla.com/firefox/all.html

Release Notes
> http://www.mozilla.com/en-US/firefox/2.0.0.6/releasenotes/
Release Date: July 30, 2007
-------------------------------

- http://blog.mozilla.com/security/2007/07/30/firefox-2.0.0.6-now-available/
30 July 2007 - "We’ve just released Firefox 2.0.0.6... The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external programs. This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous behavior..."

.

siljaline
2007-08-01, 09:56
Thanks for the heads-up.

Silj

AplusWebMaster
2007-09-19, 01:55
FYI...

Firefox v2.0.0.7 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-
Download:
> http://www.mozilla.com/firefox/all.html

Release Notes
> http://www.mozilla.com/en-US/firefox/2.0.0.7/releasenotes/
Release Date: September 18, 2007


.

AplusWebMaster
2007-10-19, 03:41
FYI...

Firefox v2.0.0.8 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-
Download:
> http://www.mozilla.com/firefox/all.html

Release Notes
> http://www.mozilla.com/en-US/firefox/2.0.0.8/releasenotes/
Release Date: October 18, 2007

- http://secunia.com/advisories/27311
Release Date: 2007-10-19
Critical: Highly critical
Impact: Spoofing, Manipulation of data, Exposure of sensitive information, DoS, System access...
Solution: Update to version 2.0.0.8.

:fear:

AplusWebMaster
2007-10-24, 13:43
FYI...

- http://developer.mozilla.org/devnews/index.php/2007/10/22/firefox-2008-update-to-be-updated/
October 22nd, 2007 at 9:47 pm - "...The 2.0.0.8 release fixed some 200 issues, but accidentally regressed a few things. Most users won’t see any difference or experience any problems, and those 200 fixes make the 2.0.0.8 update very valuable, but you should never have to choose functionality over security. So we’re working fast to understand and fix these problems, and will shortly be issuing a 2.0.0.9 update to address them..."

:oops:

siljaline
2007-10-24, 17:39
Thanks for the FYI Jack :bigthumb:

Silj

brucewills
2007-10-31, 12:53
HI,
its cool, conveying such information is a good professional service, Keep up the good work!

AplusWebMaster
2007-11-02, 02:45
FYI...

Firefox v2.0.0.9 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html

Release notes:
- http://www.mozilla.com/en-US/firefox/2.0.0.9/releasenotes/

.

AplusWebMaster
2007-11-27, 01:55
FYI...

Firefox v2.0.0.10 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 2.0.0.10:
- http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.10

.

AplusWebMaster
2007-12-01, 00:56
FYI...

Firefox v2.0.0.11 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html

What's New in Firefox 2.0.0.11
- http://www.mozilla.com/en-US/firefox/2.0.0.11/releasenotes/
Release Date:
November 30, 2007
Stability Update:
This release corrects a compatibility issue with some websites and extensions discovered in Firefox 2.0.0.10.

Two bugs fixed in 2.0.0.11:
- http://preview.tinyurl.com/3djrk3

:eek:

AplusWebMaster
2008-02-08, 02:37
FYI...

Firefox v2.0.0.12 released
From an admin account, start Firefox, then >Help >Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html

What's New in Firefox 2.0.0.12
- http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.12
Release Date: February 7, 2008
-------------------------------

- http://secunia.com/advisories/28758/
Release Date: 2008-02-08
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information,
DoS, System access
Where: From remote...
Solution: Update to version 2.0.0.12.
-------------------------------

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0419
Last revised: 2/11/2008 - "...Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows remote attackers to steal navigation history and cause a denial of service (crash) via a crafted page that uses designMode frames, which triggers memory corruption...
Impact: ...CVSS v2 Base score: 10.0 (High)..."

> http://www.mozilla.org/security/announce/2008/mfsa2008-06.html
Fixed in: Firefox 2.0.0.12, SeaMonkey 1.1.8...

> http://www.mozilla.org/download.html

:fear:

AplusWebMaster
2008-03-26, 01:28
FYI...

Firefox v2.0.0.13 released
From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download
- http://www.mozilla.com/firefox/

What's new:
- http://www.mozilla.com/en-US/firefox/2.0.0.13/releasenotes/

- http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

- http://secunia.com/advisories/29526/
Release Date: 2008-03-26
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 2.0.0.13...

:fear:

AplusWebMaster
2008-04-17, 04:06
FYI...

Firefox v2.0.0.14 released
From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download
- http://www.mozilla.com/firefox/

What's new:
- http://www.mozilla.com/en-US/firefox/2.0.0.14/releasenotes/
April 16, 2008

- http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.14

- http://secunia.com/advisories/29787/
Release Date: 2008-04-17
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 2.0.0.14.

:fear:

Rhonda
2008-04-18, 18:13
Hi. Not so long ago, Firefox came highly recommended by a friend and writer who switched from IE to Firefox with great results and resolve to numerous complaints.

This morning, I am so happy about installing Firefox, which I use at local public libraries and really like.

Unless this is not recommended, I am considering downloading Bugzilla, for added security.

Just want to thank you.
Rhonda


"When learning, there are no dull moments so long as there is interest, resource, and effort there is potential for growth and progress. Thanks for your help and contribution to this humble learning process which somehow blesses my life with a feeling of purpose."

AplusWebMaster
2008-06-17, 23:08
FYI...

Firefox v3.0 released
- http://www.mozilla.com/firefox/

Release notes:
- http://www.mozilla.com/firefox/3.0/releasenotes/

Download:
- http://www.mozilla.com/firefox/all.html
(over 45 languages)

---
Suggested reading prior to install:

Release notes / Known Issues:
- http://www.mozilla.com/firefox/3.0/releasenotes/
(Includes)...known problems with Firefox 3...

AplusWebMaster
2008-06-19, 13:18
FYI...

Firefox vuln - unpatched
- http://secunia.com/advisories/30761/
Release Date: 2008-06-19
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Mozilla Firefox 2.0.x, Mozilla Firefox 3.x...
The vulnerability is reported in versions 3.0 and 2.0.x. Other versions may also be affected.
Solution: Do not follow untrusted links nor browse untrusted web sites...
Original Advisory:
http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30
"...Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page. While Mozilla is working on a fix, we wont be divulging anything else until a patch is available..."
- http://blog.mozilla.com/security/2008/06/18/new-security-issue-under-investigation/

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2786
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2785

:fear:

- http://preview.tinyurl.com/47o8yg
June 26, 2008 (arstechnica.com) - "...Mozilla told us that they have not finalized the schedule for when Firefox 3 will be made available to Firefox 2 users through the update channel, but they suspect that it will happen within the next two or three months..."

AplusWebMaster
2008-07-02, 01:32
FYI...

Firefox v2.0.0.15 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download
- http://www.mozilla.com/en-US/firefox/all-older.html

What's New in Firefox 2.0.0.15:
- http://www.mozilla.com/en-US/firefox/2.0.0.15/releasenotes/
July 1, 2008

- http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

- http://secunia.com/advisories/30911/
Last Update: 2008-07-03
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information,
Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 2.0.0.15...

:fear:

AplusWebMaster
2008-07-16, 09:23
FYI...

Firefox v2.0.0.16 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download
- http://www.mozilla.com/en-US/firefox/all-older.html

What's New in Firefox 2.0.0.16:
- http://www.mozilla.com/en-US/firefox/2.0.0.16/releasenotes/
July 15, 2008

- http://www.mozilla.org/security/known-vulnerabilities/firefox20.html

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2785
CVSS v2 Base score: 9.3 (High)
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2933

:fear:

AplusWebMaster
2008-07-17, 02:05
FYI...

Firefox v3.0.1 released
- http://www.mozilla.com/firefox/
July 16, 2008

Upgrading Firefox
- http://support.mozilla.com/en-US/kb/Upgrading+Firefox
"To manually check for a Firefox update, click the Help menu at the top of the Firefox window, and select Check for Updates..."

If "Check for Updates is disabled", see:
- http://support.mozilla.com/en-US/kb/Check+for+Updates+is+disabled

Security Advisories
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.1

Known Issues
- http://www.mozilla.com/en-US/firefox/3.0.1/releasenotes/

Fixes in v3.0.1:
- http://www.mozilla.org/security/announce/2008/mfsa2008-34.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-35.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-36.html

- http://secunia.com/advisories/31106/
Last Update: 2008-07-17
Critical: Highly critical
Impact: Security Bypass, Spoofing, System access
Where: From remote
...The vulnerabilities are reported in versions prior to 3.0.1.
Solution: Update to version 3.0.1 ...

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2785
CVSS v2 Base score: 9.3 (High)

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2933

:fear:

AplusWebMaster
2008-09-24, 04:43
FYI...

Firefox v3.0.2 released
- http://www.mozilla.com/firefox/
Upgrading Firefox
- http://support.mozilla.com/en-US/kb/Upgrading+Firefox
"To manually check for a Firefox update, click the Help menu at the top of the Firefox window, and select Check for Updates..."
If "Check for Updates is disabled", see:
- http://support.mozilla.com/en-US/kb/Check+for+Updates+is+disabled
Security Advisories
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.2
Known Issues
- http://www.mozilla.com/en-US/firefox/3.0.2/releasenotes/
---

Firefox v2.0.0.17 released
From an admin account, start Firefox, then >Help >Check for Updates
-or-
Download
- http://www.mozilla.com/en-US/firefox/all-older.html
What's New in Firefox 2.0.0.17:
- http://www.mozilla.com/en-US/firefox/2.0.0.17/releasenotes/
September 23, 2008
- http://www.mozilla.org/security/known-vulnerabilities/firefox20.html#firefox2.0.0.17
---

FF3: http://secunia.com/advisories/32011/
Software: Mozilla Firefox 3.x
CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3837
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4058
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4060
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4061
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4062
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4063
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4064
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4065
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4067
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4068

FF2: http://secunia.com/advisories/31984/
Software: Mozilla Firefox 2.0.x
CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0016
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3835
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3836
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3837
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4058
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4059
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4060
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4061
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4062
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4065
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4066
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4067
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4068
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4069

.

AplusWebMaster
2008-09-27, 03:06
FYI...

Firefox v3.0.3 released
- http://en-us.www.mozilla.com/firefox/3.0.3/releasenotes/
September 26, 2008 - "Fixed a problem where users were unable to retrieve saved passwords or save new passwords (bug 454708*)"
* https://bugzilla.mozilla.org/show_bug.cgi?id=454708

- http://www.mozilla.com/firefox/all.html

:rolleyes:

AplusWebMaster
2008-11-13, 02:38
FYI...

Firefox v3.0.4 - v2.0.0.18 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.4
- http://www.mozilla.com/firefox/all.html
Download Firefox v2.0.0.18
- http://www.mozilla.com/firefox/all-older.html

Release Notes
- http://www.mozilla.com/firefox/3.0.4/releasenotes/
Also see "Known Issues..." for v3: All Systems - 9 items, Microsoft Windows - 2...

Security issues
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.4
___

Firefox 3
- http://secunia.com/advisories/32713/
Release Date: 2008-11-13
Critical: Highly critical...

Firefox 2
- http://secunia.com/advisories/32693/
Release Date: 2008-11-13
Critical: Highly critical...

AplusWebMaster
2008-12-06, 18:51
FYI...

Firefox v2.0.0.19...
- https://wiki.mozilla.org/WeeklyUpdates/2008-12-01#Branch_work:_Firefox_2.0.0.19_.2F_3.0.5_.2F_Major_Update
2008-12-01 - "...Firefox 2.0.0.19 / 3.0.5 / Major Update...
• On track for December 16 release (possible day slip for major update)
• Firefox 2.0.0.19 will be the last release of Firefox 2 and will not include Phishing Protection..."

- http://news.cnet.com/8301-1009_3-10115852-83.html
December 5, 2008 - "...Google asked Mozilla to disable the feature in Firefox 2.0.0.19 that warns users of sites suspected of hosting identity fraud scams because the older browsers rely on an outdated SafeBrowsing protocol that Google is not supporting anymore..."

:fear:

AplusWebMaster
2008-12-17, 01:16
FYI...

Firefox v3.0.5 released
- http://www.mozilla.com/firefox/
Dec. 16, 2008

Release Notes
- http://www.mozilla.com/firefox/3.0.5/releasenotes/

Security Advisories
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.5
Fixed in Firefox 3.0.5
MFSA 2008-69 XSS vulnerabilities in SessionStore
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-63 User tracking via XUL persist attribute
MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
___

Firefox v2.0.0.19 released
- http://www.mozilla.com/en-US/firefox/all-older.html

- http://www.mozilla.com/en-US/firefox/2.0.0.19/releasenotes/
Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3.
Firefox 2.0.0.19 does -not- include Phishing Protection.
___

- http://secunia.com/advisories/33203/

- http://secunia.com/advisories/33184/

:fear:

AplusWebMaster
2008-12-19, 16:20
FYI...

Firefox v2.0.0.20 released
- http://www.mozilla.com/en-US/firefox/all-older.html
December 18, 2008

Release Notes:
- http://www.mozilla.com/en-US/firefox/2.0.0.20/releasenotes/
Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3.
Firefox 2.0.0.20 does not include Phishing Protection.
- http://www.mozilla.com/en-US/firefox/2.0.0.20/releasenotes/#issues

Security Update:
- http://www.mozilla.com/en-US/firefox/2.0.0.20/releasenotes/
Firefox 2.0.0.20 includes an additional security fix over Firefox 2.0.0.19 for users of the Windows platform. The following security issue* was fixed.

* http://www.mozilla.org/security/known-vulnerabilities/firefox20.html#firefox2.0.0.20
MFSA 2008-65 Cross-domain data theft via script redirect error message (Windows)
- http://preview.tinyurl.com/3mvadg
"...Mozilla omitted one of the security patches that was supposed to be included in the Windows version of Tuesday's Firefox 2.0 .0.19 release..."

Firefox 3
- http://secunia.com/advisories/33203/
...Solution: Update to version 3.0.5.
http://www.mozilla.com/en-US/products/download.html?product=firefox-3.0.5

:fear:

AplusWebMaster
2009-02-04, 02:58
FYI...

Firefox v3.0.6 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.6
- http://www.mozilla.com/firefox/all.html

Security Advisories for Firefox v3.0.6
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.6
Fixed in Firefox 3.0.6
MFSA 2009-06 Directives to not cache pages ignored
MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies
MFSA 2009-04 Chrome privilege escalation via local .desktop files
MFSA 2009-03 Local file stealing with SessionStore
MFSA 2009-02 XSS using a chrome XBL method and window.eval
MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)

- http://secunia.com/advisories/33799/
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0352
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0353
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0354
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0355
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0356
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0357
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0358

:fear:

AplusWebMaster
2009-03-05, 03:53
FYI...

Firefox v3.0.7 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.7
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 3.0.7
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.7
MFSA 2009-11 URL spoofing with invisible control characters
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-08 Mozilla Firefox XUL Linked Clones Double Free Vulnerability
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0771
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0772
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0773
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0774
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0775
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0776

- http://secunia.com/advisories/34145/2/
Release Date: 2009-03-05
Critical: Highly critical
Impact: Security Bypass, Spoofing, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.7 ...

:fear:

AplusWebMaster
2009-03-28, 12:23
FYI...

Firefox v3.0.8 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.8
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 3.0.8
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.8
MFSA 2009-13 Arbitrary code execution through XUL <tree> element
MFSA 2009-12 XSL Transformation vulnerability

- http://secunia.com/advisories/34471/2/
Last Update: 2009-03-28
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.8...

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1044
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1169

:fear:

AplusWebMaster
2009-04-22, 05:01
FYI...

Firefox v3.0.9 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.9
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 3.0.9
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.9
MFSA 2009-22 Firefox allows Refresh header to redirect to javascript: URIs
MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame
MFSA 2009-20 Malicious search plugins can inject code into arbitrary sites
MFSA 2009-19 Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString
MFSA 2009-18 XSS hazard using third-party stylesheets and XBL bindings
MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme
MFSA 2009-16 jar: scheme ignores the content-disposition: header on the inner URI
MFSA 2009-15 URL spoofing with box drawing character
MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

- http://secunia.com/advisories/34758/2/
Release Date: 2009-04-22
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.9...
CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1302
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1303
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1304
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1305
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1306
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1307
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1308
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1309
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1310
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1311
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1312

:fear:

AplusWebMaster
2009-04-28, 13:14
FYI...

Firefox v3.0.10 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.10
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 3.0.10
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.10
MFSA 2009-23 Crash in nsTextFrame::ClearTextRun()

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1313

- http://secunia.com/advisories/34866/2/
Release Date: 2009-04-28
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.10...
Original Advisory: http://www.mozilla.org/security/announce/2009/mfsa2009-23.html

:fear:

AplusWebMaster
2009-06-12, 01:24
FYI...

Firefox v3.0.11 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.11
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 3.0.11
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.11
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-31 XUL scripts bypass content-policy checks
MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-26 Arbitrary domain cookie access by local file: resources
MFSA 2009-25 URL spoofing with invalid unicode characters
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)

- http://secunia.com/advisories/35331/2/
Release Date: 2009-06-12
Critical: Highly critical
Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.11 ...

.

AplusWebMaster
2009-07-01, 01:29
FYI...

- http://support.mozilla.com/en-US/kb/Upgrading+to+Firefox+3%C2%B75
"... To upgrade from Firefox 3.0.x, open the Help menu (from an Admin account) and click Check for Updates..."
(NOTE: Some add-on's may not be compatible until they are updated*)
-OR-
Firefox v.3.5 released / Download
- http://www.mozilla.com/firefox/firefox.html
June 30th, 2009

Release Notes / *Known issues
- http://www.mozilla.com/firefox/3.5/releasenotes/

Security & Privacy
- http://www.mozilla.com/firefox/features/#security

Video
- http://www.mozilla.com/firefox/video/?video=security

- http://www.f-secure.com/weblog/archives/00001712.html
July 1, 2009 - "... when I installed Firefox 3.5 the Private Browsing option was disabled. What?..."

Firefox v3.5.1 patch to be released...
- http://www.theregister.co.uk/2009/07/03/mozilla_firefox_3_5_1/
3 July 2009
___

- https://wiki.mozilla.org/WeeklyUpdates/2009-06-29#Branch_work:_Firefox_3.0.x_.2F_Thunderbird_2.0.0.x
Firefox 3.0.12
* Code frozen as of Thursday last week
* Targeting mid/late-July release ...

- http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9135001
June 30, 2009 - "... the kill date for Version 3.0 will be Dec. 31, 2009..."

:fear::spider:

AplusWebMaster
2009-07-14, 13:00
FYI...

Firefox memory corruption vuln - unpatched
- http://secunia.com/advisories/35798/2/
Release Date: 2009-07-14
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Mozilla Firefox 3.5.x
Solution: Do not browse untrusted websites or follow untrusted links...
Original Advisory: http://milw0rm.com/exploits/9137 ...

- http://www.us-cert.gov/current/#mozilla_firefox_3_5_vulnerability
July 14, 2009

Per: http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html
July 14, 2009 - "... Fortunately, there is a relatively easy fix for this that can be reversed once Mozilla issues a patch. To disable the vulnerable component, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar. In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content". You should notice that beside that setting it reads "true," meaning the setting is enabled. If you just double-click on that setting, it should disable it, changing the option to "false." That's it.
Note that making this change will slow down Javascript rendering in Firefox 3.5 to 3.0 speeds, but that may be a worthwhile trade-off for readers concerned about the availability of exploit code for this flaw."
... 'Glad that Brian Krebs guy is around. :-)
Edit/add: Also found (later) here:
- http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/

- https://isc.sans.org/diary.html?storyid=6796
Last Updated: 2009-07-16 17:54:23 UTC ...(Version: 4) - "... this exploit has been spotted in the wild. The attacked just used Metasploit to create it and put a PoisonIvy client as the payload. Unfortunately, the payload has been packed with a packer that prevented some AV vendors so the detection isn't all that great..."

:fear::fear:

AplusWebMaster
2009-07-17, 05:32
FYI...

Firefox v3.5.1 released

From an admin account, start Firefox, then >Help >Check for Updates
-OR-

Download Firefox v3.5.1
- http://www.mozilla.com/firefox/all.html

Complete list of changes in this version
- https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed1.9.1.1+verified1.9.1.1
> 22 bugs found.

- http://www.mozilla.org/security/announce/2009/mfsa2009-41.html
July 16, 2009

- http://isc.sans.org/diary.html?storyid=6817
Last Updated: 2009-07-17 07:17:02 UTC - "... if you applied the workaround by disabling the JIT in about:config, remember to turn it back on"

- http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/
Installing... Please note that installing Firefox 3.5 will overwrite your existing installation of Firefox. You won’t lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available. You can reinstall an older version later if you wish to downgrade.
> http://www.mozilla.com/firefox/all-older.html
___

> https://wiki.mozilla.org/WeeklyUpdates/2009-07-13#Branch_work:_Firefox_3.0.x_.2F_Thunderbird_2.0.0.x
2009-07-13
• Firefox 3.0.12 ...
* final ship next week

:secret:

AplusWebMaster
2009-07-18, 20:01
FYI...

NEW vuln - FireFox 3.5.1 confirmed, exploit PoC, no patch
- http://isc.sans.org/diary.html?storyid=6829
Last Updated: 2009-07-18 15:04:23 UTC - "Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available."
Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability
> http://www.securityfocus.com/bid/35707/
CVE-2009-2479
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2479
Last revised: 07/16/2009
CVSS v2 Base Score: 10.0 (HIGH)
>> http://xforce.iss.net/xforce/xfdb/51729
Reported: July 15, 2009
>> http://www.milw0rm.com/exploits/9158
[2009-07-15]

milw0rm 9158 “stack overflow” crash not exploitable (CVE-2009-2479)
- http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/
07.19.09 - "In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is -not-, and we have seen no example of exploitability... we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly."

:fear::fear:

AplusWebMaster
2009-07-22, 04:04
FYI...

Firefox v3.0.12 released
From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.12
- http://www.mozilla.com/firefox/all-older.html

- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.12
Fixed in Firefox 3.0.12
MFSA 2009-40 Multiple cross origin wrapper bypasses
MFSA 2009-39 setTimeout loses XPCNativeWrappers
MFSA 2009-37 Crash and remote code execution using watch and __defineSetter__ on SVG element
MFSA 2009-36 Heap/integer overflows in font glyph rendering libraries
MFSA 2009-35 Crash and remote code execution during Flash player unloading
MFSA 2009-34 Crashes with evidence of memory corruption (rv:1.9.1/1.9.0.12)

- http://secunia.com/advisories/35914/2/
Release Date: 2009-07-22
Critical: Highly critical
Impact: System access, Cross Site Scripting
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x ...
Solution: Update to version 3.0.12 ...

:fear:

tashi
2009-08-04, 08:57
From an admin account, start Firefox (http://forums.spybot.info/vbglossar.php?do=showentry&item=Firefox), then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/en-US/firefox/all.html

Release Notes: http://www.mozilla.com/en-US/firefox/3.5.2/releasenotes/

Firefox 3.5.2 fixes the following issues:


Several security issues (http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.2).
Images with ICC profiles now render properly on all monitors.

___

Firefox v3.0.13 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/en-US/firefox/all-older.html

Release Notes: http://www.mozilla.com/en-US/firefox/3.0.13/releasenotes/

Firefox 3.0.13 fixes the following issues:
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.13

- http://secunia.com/advisories/36001/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: System access, Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x ...
Solution: Update to version 3.5.2 or 3.0.13...

- http://secunia.com/advisories/36088/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x
Solution: Update to version 3.0.13...
___

* https://wiki.mozilla.org/WeeklyUpdates/2009-08-03#Branch_work:_Firefox_3.0.x_.2F_Thunderbird_2.0.0.x
• short cycle release to fix new issues announced at BlackHat and Defcon
___

- http://www.eset.com/threat-center/blog/2009/08/06/firefox-more-security-less-privacy
August 6, 2009 - "... a few days ago when I allowed Firefox to update to fix security vulnerabilities my privacy settings were reset to less private settings. I had Firefox set to clear the history on exit, and prompt me. I also had it set not to accept third party cookies. After the upgrade the settings were reset to defaults. I simply happened to notice that I wasn’t prompted when I closed Firefox... This is not a behavior that should be happening. Perhaps my computer is an anomaly and there is a conflict... At any rate, it is always a good idea to check the settings of your programs periodically, and especially after an update..."

:fear:

AplusWebMaster
2009-09-05, 01:41
FYI...

Firefox will check Flash...
- http://blog.mozilla.com/security/2009/09/04/helping-users-keep-plugins-updated/
September 04, 2009 - "Starting with the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14, Mozilla will warn users if their version of the popular Adobe Flash Player plugin is out of date. Old versions of plugins can cause crashes and other stability problems, and can also be a significant security risk. For now our focus is on the Adobe Flash Player both because of its popularity and because some studies have shown that as many as 80% of users currently have an out of date version*..."
* http://blogs.zdnet.com/security/?p=4097

- https://wiki.mozilla.org/WeeklyUpdates/2009-08-31#Branch_work:_Firefox_3.0.x_.2F_Firefox_3.5.x_.2F_Thunderbird_2.0.0.x
WeeklyUpdates/2009-08-31
• Firefox 3.0.14 / Firefox 3.5.3
> on track for release next week

:cool:

AplusWebMaster
2009-09-10, 04:18
FYI...

Firefox v3.5.3 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.3, released September 9, 2009

- http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.3
Fixed in Firefox 3.5.3
MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
___

Firefox v3.0.14 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all-older.html
v3.0.14, released September 9, 2009

- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.14
Fixed in Firefox 3.0.14
MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-48 Insufficient warning for PKCS11 module installation and removal
MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
___

- http://secunia.com/advisories/36671/2/
Release Date: 2009-09-10
Critical: Highly critical
Impact: Security Bypass, Spoofing, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x ...
Solution: Update to version 3.0.14 or 3.5.3...

CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3069
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3070
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3071
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3072
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3073
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3074
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3075
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3076
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3077
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3078
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3079

.

AplusWebMaster
2009-09-17, 14:26
FYI...

- http://www.channelregister.co.uk/2009/09/17/firefox_users_with_vulnerable_flash/
17 September 2009 - "... Of the 6 million or so people who upgraded to either 3.5.3 or 3.0.14 of Firefox on its debut last Thursday, slightly more than 3 million of them were found to be running an outdated Flash version, according to Mozilla's Ken Kovash*. Sadly, only about 35 percent of those informed they had an insecure installation clicked on a link to upgrade to the latest version..."
* http://blog.mozilla.com/metrics/2009/09/16/helping-people-upgrade-flash/

:rolleyes: :slap:

AplusWebMaster
2009-10-18, 14:54
FYI...

Firefox blocks MS add-on to tighten security
- http://www.f-secure.com/weblog/archives/00001794.html
October 17, 2009

// http://www.mozilla.com/plugincheck/

.NET Framework Assistant Blocked to Disarm Security Vulnerability
* http://blog.mozilla.com/security/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/
10.16.09 - "... Mike Shaver, Mozilla’s Vice President of Engineering writes: I’ve previously posted** about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on. Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)"
** http://shaver.off.net/diary/2009/06/02/dealing-with-the-net-clickonce-add-on/
02 June 2009

- http://support.microsoft.com/kb/963707
Last Review: June 2, 2009 - Revision: 2.3

- http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html
May 29, 2009 - "... to Microsoft - this is a great example of how not to convince people to trust your security updates..."

:fear:

AplusWebMaster
2009-10-19, 16:42
'Wish somebody would make up their mind!

- http://shaver.off.net/diary/2009/10/18/update-net-framework-assistant-clickonce-support-unblocked/
18 October 2009 - "We received confirmation from Microsoft this evening that the Framework Assistant add-on is -not- a mechanism for exploiting the vulnerabilities detailed in the earlier post*, so we’ve removed it from the blocklist. As the blocklist update propagates to clients, the add-on should be re-enabled for users who had it previously enabled.
We’re hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist, and I’m working on a post to clarify the events of the past few days..."
* http://blog.mozilla.com/security/2009/10/16/net-framework-assistant-blocked-to-disarm-security-vulnerability/
10.16.09

- http://www.theregister.co.uk/2009/10/19/firefox_plug_in_security_flap/
19 October 2009
- http://www.theinquirer.net/inquirer/news/1558953/mozilla-shoots-microsoft-plug
19 October 2009
- http://www.h-online.com/security/news/item/Firefox-blocks-then-unblocks-Microsoft-add-on-832309.html
19 October 2009

- http://www.securityfocus.com/brief/1024
2009-10-20

- https://bugzilla.mozilla.org/show_bug.cgi?id=522777
Last: 2009-10-20

:sad::confused:

AplusWebMaster
2009-10-28, 04:10
FYI...

Firefox v3.5.4 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.4, released October 27, 2009

- http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.4
Fixed in Firefox 3.5.4
MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-54 Crash with recursive web-worker calls
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing
___

Firefox v3.0.15 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all-older.html
v3.0.15, released October 27, 2009

- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.15
Fixed in Firefox 3.0.15
MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing
___

- http://secunia.com/advisories/36711/2/
Release Date: 2009-10-28
Critical: Highly critical
Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x
Solution: Update to version 3.0.15 or 3.5.4...
CVE reference:
CVE-2009-1563, CVE-2009-3370, CVE-2009-3371, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3377, CVE-2009-3378, CVE-2009-3379, CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383

:fear::spider::fear:

AplusWebMaster
2009-11-06, 06:58
FYI...

Firefox v3.5.5 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.5, released Nov. 5, 2009

- http://www.mozilla.com/en-US/firefox/3.5.5/releasenotes/
"Firefox 3.5.5 fixes the following issues: Fixed several stability issues..."

Complete list of changes in this version
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.1%3A.5-fixed
Thu Nov 5 2009 20:44:32 PST

AplusWebMaster
2009-12-16, 13:32
FYI...

Firefox v3.5.6 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.6, released December 15, 2009

- http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.6
Fixed in Firefox 3.5.6
MFSA 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
MFSA 2009-70 Privilege escalation via chrome window.opener
MFSA 2009-69 Location bar spoofing vulnerabilities
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-67 Integer overflow, crash in libtheora video library
MFSA 2009-66 Memory safety fixes in liboggplay media library
MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)
___

Firefox v3.0.16 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all-older.html
v3.0.16, released December 15, 2009

- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.16
Fixed in Firefox 3.0.16
MFSA 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
MFSA 2009-70 Privilege escalation via chrome window.opener
MFSA 2009-69 Location bar spoofing vulnerabilities
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)
___

- http://secunia.com/advisories/37699/2/
Release Date: 2009-12-16
Critical: Highly critical
Impact: Security Bypass, Spoofing, Manipulation of data, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x ...
Solution: Update to version 3.0.16 or 3.5.6...

- http://www.theregister.co.uk/2009/12/16/firefox_update/
16 December 2009

:fear:

AplusWebMaster
2010-01-06, 07:39
FYI...

Firefox v3.5.7 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.7, released January 5, 2010

- http://www.mozilla.com/en-US/firefox/3.5.7/releasenotes/
Firefox 3.5.7 fixes the following issues:
• Fixed a common stability issue.
• Fixed a problem with how updates were being presented to users.
Complete list of changes:
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.1%3A.7-fixed

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0220
Last revised: 01/08/2010
CVSS v2 Base Score: 5.0 (MEDIUM)
___

Firefox v3.0.17 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all-older.html
v3.0.17, released January 5, 2010

- http://www.mozilla.com/en-US/firefox/3.0.17/releasenotes/
Firefox 3.0.17 fixes the following issue:
• Fixed a problem with how updates were being presented to users.
Complete list of changes:
- https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed1.9.0.17+verified1.9.0.17

:fear:

AplusWebMaster
2010-01-26, 04:53
FYI...

Firefox v.3.6 released
- http://www.mozilla.com/en-US/firefox/3.6/releasenotes/
January 21, 2010 - "Firefox 3.6 is built on Mozilla's Gecko 1.9.2 web rendering platform, which has been under development since early 2009 and contains many improvements for web developers, add-on developers, and users. This version is also faster and more responsive than previous versions and has been optimized to run on small device operating systems such as Maemo..."
- Download: http://www.mozilla.com/firefox/all.html

WeeklyUpdates/2010-01-25
- https://wiki.mozilla.org/WeeklyUpdates/2010-01-25
Schedule for Firefox 3.5.8 are... Final release: February 16 ...
Schedule for Firefox 3.0.18 are... Final release: February 16 ...

:confused:

AplusWebMaster
2010-02-18, 14:06
FYI...

From an admin account, start Firefox, then > Help > Check for Updates

Firefox v3.0.18/v3.5.8 released
- http://secunia.com/advisories/37242/
Release Date: 2010-02-18
Criticality level: Highly critical
Impact: Cross Site Scripting, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x
Solution: Update to version 3.0.18 or 3.5.8.
Original Advisory: Mozilla:
http://www.mozilla.org/security/announce/2010/mfsa2010-01.html
http://www.mozilla.org/security/announce/2010/mfsa2010-02.html
http://www.mozilla.org/security/announce/2010/mfsa2010-03.html
http://www.mozilla.org/security/announce/2010/mfsa2010-04.html
http://www.mozilla.org/security/announce/2010/mfsa2010-05.html
Secunia Research:
http://secunia.com/secunia_research/2009-45/

Bug list:
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.1%3A.8-fixed
63 bugs found.

Fixed in Firefox 3.5.8
- http://www.mozilla.org/security/known-vulnerabilities/firefox35.html

Bug list:
- https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed1.9.0.18+verified1.9.0.18
19 bugs found.

Fixed in Firefox 3.0.18
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1571
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3988
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0159
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0160
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0162
____

Blocklisted add-ons that should no longer be used with Mozilla products.
- https://www.mozilla.com/en-US/blocklist/

:fear:

AplusWebMaster
2010-03-20, 13:44
FYI...

Firefox v3.6.2
- http://secunia.com/advisories/38608/
Last Update: 2010-03-19
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Software: Mozilla Firefox 3.6.x
Original Advisory: Mozilla:
- http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/
03.18.10 - "Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue. The vulnerability was determined to be critical and could result in remote code execution by an attacker. The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix. Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue. As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience. Alternatively, users can download the current Beta build of Firefox 3.6.2, which contains the fix from here:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

- https://wiki.mozilla.org/WeeklyUpdates/2010-03-22#Branch_work:_Firefox_3.5.x_.2F_Firefox_3.6.x_.2F_Thunderbird_3.0.x
WeeklyUpdates/2010-03-22 - "QA and release teams are quickly checking the risk of 1.9.2 patches, to see if we can get 3.6.2 out early this week."

:fear:

AplusWebMaster
2010-03-23, 07:21
FYI...

Firefox v3.6.2 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html

• Critical: MFSA 2010-11 Crashes with evidence of memory corruption
- http://www.mozilla.org/security/announce/2010/mfsa2010-11.html
• Critical: MFSA 2010-08 WOFF heap corruption due to integer overflow
- http://www.mozilla.org/security/announce/2010/mfsa2010-08.html

Fixed in Firefox 3.6.2
- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.2
MFSA 2010-15 Asynchronous Auth Prompt attaches to wrong window
MFSA 2010-14 Browser chrome defacement via cached XUL stylesheets
MFSA 2010-13 Content policy bypass with image preloading
MFSA 2010-12 XSS using addEventListener and setTimeout on a wrapped object
MFSA 2010-11 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.8/ 1.9.0.18)
MFSA 2010-10 XSS via plugins and unprotected Location object
MFSA 2010-09 Deleted frame reuse in multipart/x-mixed-replace image
MFSA 2010-08 WOFF heap corruption due to integer overflow

What’s New in Firefox 3.6.2
- http://www.mozilla.com/en-US/firefox/3.6.2/releasenotes/
Firefox 3.6.2 fixes the following issues found in previous versions of Firefox 3.6:
* Fixed a critical security issue that could potentially allow remote code execution (see bug 552216).
* Fixed several additional security issues.
* Fixed several stability issues.
Please see the complete list of changes* in this version..."
* https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.2-fixed
118 bugs found.

- http://secunia.com/advisories/38608/
Last Update: 2010-03-23
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 3.6.2.

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0164
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0165
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0166
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0169
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0170
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0171
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0172
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1028
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1122
Last revised: 03/26/2010 - ...Firefox 3.5.x through 3.5.8...
CVSS v2 Base Score: 10.0 (HIGH)...

- https://wiki.mozilla.org/WeeklyUpdates/2010-03-29#Branch_work:_Firefox_3.5.x_.2F_Firefox_3.6.x_.2F_Thunderbird_3.0.x
WeeklyUpdates/2010-03-29 - "... 3.5.9, 3.0.19 on track for tomorrow..."

:fear:

AplusWebMaster
2010-03-31, 05:38
FYI...

Firefox v3.5.9 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download
- http://www.mozilla.com/firefox/all-older.html

Release Notes
- http://www.mozilla.com/firefox/3.5.9/releasenotes/
v.3.5.9, released March 30, 2010

Security Advisories
- http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.9
Fixed in Firefox 3.5.9
MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy
MFSA 2010-23 Image src redirect to mailto: URL opens email editor
MFSA 2010-22 Update NSS to support TLS renegotiation indication
MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop
MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray
MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection
MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)

- https://developer.mozilla.org/devnews/index.php/2010/03/30/firefox-3-5-9-and-3-0-19-security-updates-now-available/
March 30, 2010 - "... Firefox 3.5.9 and Firefox 3.0.19 are now available for Windows, Mac, and Linux for free download... Please note: This is the last planned security and stability release for Firefox 3.0..."
Use: >Help >Check for Updates

Firefox 3.0.19: http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.19

13 bugs...
- https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed1.9.0.19+verified1.9.0.19

:fear:

AplusWebMaster
2010-04-02, 05:06
FYI...

Firefox v3.6.3 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html

- http://www.mozilla.org/security/announce/2010/mfsa2010-25.html
Title: Re-use of freed object due to scope confusion
Impact: Critical
Announced: April 1, 2010
Reporter: Nils (MWR InfoSecurity)
Products: Firefox
Fixed in: Firefox 3.6.3...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1121
Last revised:03/26/2010
CVSS v2 Base Score: 10.0 (HIGH)
Overview: Unspecified vulnerability in Mozilla Firefox 3 on Windows 7 allows remote attackers to execute arbitrary code via unknown vectors that trigger memory corruption, as demonstrated by Nils during a Pwn2Own competition at CanSecWest 2010...

- http://secunia.com/advisories/39175/
Release Date: 2010-04-02
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 3.6.3.
___

Due to some obscure moron a "security 'specialist'" hacking into a kludge of browsers "playing games" at a supposed security conference at CanSecWest with all the public media reports as a result of the "contest", this update became necessary wasting the time and effort of millions of end users and those who support them. More updates for other browsers will follow...

Responsible Disclosure Policy
- http://www.secureworks.com/research/disclosure.html
As a managed security services provider, we are constantly researching new methods computer criminals could use to break into systems, steal information and cause harm to our clients or their clients. We must be ahead of the criminal – anticipating new threats and developing countermeasures to prevent those threats. In that process, we may discover a vulnerability or a class of vulnerabilities in a technology solution that could create risk for our clients or the general market. When we discover a vulnerability, we will follow SecureWorks’ Responsible Disclosure Policy.
The goals of our Disclosure Policy are as follows:
1. Minimize risks to our clients and to the market
2. Education
3. Contribution to the security community
4. Cooperation with vendor community to understand the vulnerability
SecureWorks believes that it is important to work with technology providers when we find vulnerabilities – giving them an opportunity to patch their systems prior to advising our clients and the public about the vulnerability. This reduces the opportunity for a computer criminal to use information we provide to the public to cause harm although it does not prevent the criminal from discovering the same vulnerability independently...

:fear::sad:

AplusWebMaster
2010-06-23, 03:28
FYI...

Firefox v3.6.4 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
June 22, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.4/releasenotes/

- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.4

- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.4-fixed
226 bugs found/fixed

- http://secunia.com/advisories/40309/
Release Date: 2010-06-23
Criticality level: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution: Update to version 3.5.10 or 3.6.4...

:fear:

AplusWebMaster
2010-06-28, 00:21
FYI...

Firefox v3.6.6 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
June 26, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.6/releasenotes/
"Firefox 3.6.6 modifies the crash protection feature to increase the amount of time that plugins are allowed to be non-responsive before being terminated..."

- http://forums.mozillazine.org/viewtopic.php?f=38&t=1929983
"Firefox 3.6.6 is a maintenance release to solve problems with Flash crashes. If you are having a number of flash crashes this should solve the issue. The fix increases the amount of time the before Firefox decides the plug-in has crashed. If you are curious why this release isn't number 3.6.5 see where's 3.6.5?* ..."
* http://christian.legnitto.com/blog/2010/06/09/heads-up-the-next-firefox-platform-version-is-1-9-2-6-instead-of-1-9-2-5/

- http://www.h-online.com/security/news/item/Norton-produces-false-alarm-after-Firefox-update-1030099.html
28 June 2010 - "... Norton Antivirus and Internet Security from Symantec both issued a security alert and pushed various files into quarantine after they installed the latest Firefox update which in turn caused Firefox to malfunction. In Symantec's support forums and elsewhere on the internet, further users have reported malware alerts after installing the Firefox 3.6.6 update. The affected files are reported to be:
* freebl3.dll
* softokn3.dll
* nssdbm3.dll
The name given by Symantec, WS.Reputation.1, points towards a detection by the cloud based functionality of Norton where the company evaluates the information transmitted by users' systems to assess files. Files that haven't been seen before are considered particularly suspicious. [?] If Norton then detects anything else that's unusual about the file, it will raise the alarm..."

:fear:

AplusWebMaster
2010-07-21, 01:19
FYI...

Firefox v3.6.7 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
July 20, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.7/releasenotes/

- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.7

- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.7-fixed,.5-fixed
126 bugs found/fixed.

- http://securitytracker.com/alerts/2010/Jul/1024225.html
- http://securitytracker.com/alerts/2010/Jul/1024226.html

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0654
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1208
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1209
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1211
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1212
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1214
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2752
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2753
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2754

:fear:

AplusWebMaster
2010-07-24, 06:02
FYI...

Firefox v3.6.8 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
July 23, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.8/releasenotes/
• Fixed a single stability issue affecting some pages containing plugins.
Regression: http://www.mozilla.org/security/announce/2010/mfsa2010-48.html

- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.8

- http://securitytracker.com/alerts/2010/Jul/1024243.html
Date: July 24, 2010

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2755
CVSS v2 Base Score: 10.0 (HIGH)

:fear:

AplusWebMaster
2010-09-08, 12:43
FYI...

Firefox v3.6.9 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
Sep. 7, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.9/releasenotes/

- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.9

67 bugs found:
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2:.9-fixed

- http://secunia.com/advisories/41297/
Release Date: 2010-09-08
Criticality level: Highly critical
Impact: Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote
CVE Reference(s): CVE-2010-2760, CVE-2010-2762, CVE-2010-2763, CVE-2010-2764, CVE-2010-2765, CVE-2010-2766, CVE-2010-2767, CVE-2010-2768, CVE-2010-2769, CVE-2010-2770, CVE-2010-3166, CVE-2010-3167, CVE-2010-3168, CVE-2010-3169
Solution: Update to version 3.6.9 or 3.5.12.

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3171
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3399
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3400

- http://securitytracker.com/alerts/2010/Sep/1024401.html
- http://securitytracker.com/alerts/2010/Sep/1024406.html
Sep 8 2010

:fear:

AplusWebMaster
2010-09-16, 09:28
FYI...

Firefox v3.6.10 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
Sep. 15, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.10/releasenotes/
• Fixed a single stability issue affecting a limited number of users

2 bugs found.
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.10-fixed

:blink:

AplusWebMaster
2010-10-20, 10:34
FYI...

Firefox v3.6.11 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
Oct. 19, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.11/releasenotes/
• Fixed several security issues.
• Fixed several stability issues.

Fixed in Firefox 3.6.11
- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.11

Complete list of changes: 40 bugs found.
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.11-fixed

- http://www.securitytracker.com/id?1024605
Oct 20 2010
CVE Reference: CVE-2010-3170, CVE-2010-3173, CVE-2010-3174, CVE-2010-3175, CVE-2010-3176, CVE-2010-3177, CVE-2010-3178, CVE-2010-3179, CVE-2010-3180, CVE-2010-3181, CVE-2010-3182, CVE-2010-3183
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network ...
... prior to 3.6.11
Solution: The vendor has issued a fix (3.5.14, 3.6.11)...

:fear:

AplusWebMaster
2010-10-28, 04:35
FYI...

Firefox v3.6.12 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
Oct. 27, 2010

Fixed in Firefox 3.6.12
- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.12

- http://www.mozilla.org/security/announce/2010/mfsa2010-73.html
• Critical: Heap buffer overflow mixing document.write and DOM insertion

:fear::fear:

AplusWebMaster
2010-12-10, 00:40
FYI...

Firefox v3.6.13 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
Dec. 9, 2010

Fixed in Firefox 3.6.13
- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.13
MFSA 2010-84 XSS hazard in multiple character encodings
MFSA 2010-83 Location bar SSL spoofing using network error page
MFSA 2010-82 Incomplete fix for CVE-2010-0179
MFSA 2010-81 Integer overflow vulnerability in NewIdArray
MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh
MFSA 2010-78 Add support for OTS font sanitizer
MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
MFSA 2010-76 Chrome privilege escalation with window.open and <isindex> element
MFSA 2010-75 Buffer overflow while line breaking after document.write with long string
MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)

- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2:.13-fixed
68 bugs fixed...

- http://secunia.com/advisories/42517/
Release Date: 2010-12-10
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 3.6.13 or 3.5.16.

- http://www.securitytracker.com/id?1024848
- http://www.securitytracker.com/id?1024850
- http://www.securitytracker.com/id?1024851
Dec 10 2010

:fear:

AplusWebMaster
2011-03-02, 00:23
FYI...

Firefox v.3.6.14 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
March 1st, 2011

Fixed in Firefox 3.6.14
- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.14
MFSA 2011-10 CSRF risk with plugins and 307 redirects
MFSA 2011-09 Crash caused by corrupted JPEG image
MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents
MFSA 2011-07 Memory corruption during text run construction (Windows)
MFSA 2011-06 Use-after-free error using Web Workers
MFSA 2011-05 Buffer overflow in JavaScript atom map
MFSA 2011-04 Buffer overflow in JavaScript upvarMap
MFSA 2011-03 Use-after-free error in JSON.stringify
MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true
MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

Bug fixes:
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2:.14-fixed
41 bugs found.
___

- http://secunia.com/advisories/43550/
Release Date: 2011-03-02
Criticality level: Highly critical
Impact: Cross Site Scripting, Spoofing, DoS, System access
Where: From remote
Solution: Update to Mozilla Firefox version 3.5.17 or 3.6.14

- http://www.securitytracker.com/id/1025134
Mar 2 2011

:fear:

AplusWebMaster
2011-03-04, 20:30
FYI...

Firefox v.3.6.15 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
March 4, 2011

- http://www.mozilla.com/en-US/firefox/3.6.15/releasenotes/
• Fixed an issue where some Java applets would fail to load in Firefox 3.6.14

- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2:.15-fixed
24 bugs found.
___

- https://wiki.mozilla.org/WeeklyUpdates/2011-03-07#Firefox_3.6_and_3.5
WeeklyUpdates/2011-03-07
Shipped 3.6.15 on Friday, fixing an issue where Firefox 3.6.14 would fail to load certain Java applets
Bugs will be adjusted to reflect the current state of branch fixes ...

:fear:

AplusWebMaster
2011-03-18, 19:46
FYI...

Firefox 4 next week ...
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=229301231
March 18, 2011 - "Firefox 4... will be officially released on March 22, 2011..."

- http://blogs.computerworld.com/17982/windows_7_service_pack_1_dont_install_it_yet
March 16, 2011 - "... Firefox version 4.. give it a couple months before installing it; not only to let the browser get battle tested but also to give authors of extensions more time to get the kinks out..."

- https://wiki.mozilla.org/Firefox/Roadmap#Product_Priorities_for_2011

:fear:

AplusWebMaster
2011-03-22, 20:04
FYI...

Firefox v4.0 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
March 22, 2011

- http://www.mozilla.com/en-US/firefox/4.0/releasenotes/

- http://www.mozilla.com/en-US/firefox/4.0/system-requirements/
"... Please note that while the 32-bit and 64-bit versions of Windows Vista and Windows 7 can be used to run Firefox 4, only 32-bit builds of Firefox 4 are supported at this time..."
___

What happened to the Status Bar?
- http://support.mozilla.com/en-US/kb/what-happened-status-bar?s=show+status+bar&as=s#w_the-new-status-bar

Where are my Add-ons?
- http://support.mozilla.com/en-US/kb/what-happened-status-bar?s=show+status+bar&as=s#w_where-are-my-add-ons
"... Status-4-Evar** is an Add-on that recreates all of the features of the old Status Bar and lets you put them in the new Add-on Bar*..."
* http://support.mozilla.com/en-US/kb/what-add-bar
"... The Add-on Bar is a toolbar that holds all of your add-on shortcuts, giving you quick and easy access to their features. This article shows you how to use and customize the Add-on Bar... How do I show or hide the Add-on Bar?
If you don't have any add-ons that use the Add-on Bar, it won't be shown by default but you can easily show or hide it whenever you want.
> To show or hide the Add-on Bar, right-click on an empty section of the Tab Strip and check or uncheck it in the pop-up menu.
You can also use the keyboard shortcut Ctrl + / .

** https://addons.mozilla.org/en-US/firefox/addon/235283/

How do I put tabs back on bottom like they used to be?
- http://support.mozilla.com/en-US/kb/why-are-tabs-top#w_how-do-i-put-tabs-back-on-bottom-like-they-used-to-be
"At the top of the Firefox window, click on the Firefox button, go over to the Options... arrow and uncheck Tabs on Top".
-or-
"... By default, the Tab Strip is above the Navigation Toolbar. If you want it below, right-click on an empty section of the Tab Strip and uncheck 'Tabs on Top'..."
___

Adblock Plus v1.3.5
- https://addons.mozilla.org/en-US/firefox/addon/1865

- http://adblockplus.org/releases/adblock-plus-135-released

- http://adblockplus.org/en/changelog-1.3.5
___

.

AplusWebMaster
2011-03-23, 15:18
FYI...

Firefox v3.6.16 and 3.5.18...
- http://isc.sans.edu/diary/Firefox+3+Updates+and+SSL+Blacklist+extension/10597
Last Updated: 2011-03-23 13:01:43 UTC - "At the heels of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version..."
>> http://www.mozilla.com/en-US/firefox/all-older.html
('Should also be available thru the 'Help > Check for Updates' function.)

- http://www.mozilla.org/security/announce/2011/mfsa2011-11.html
March 22, 2011

- http://www.securitytracker.com/id/1025243
Mar 23 2011

What’s New in Firefox 3.6.16...
- http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/
v.3.6.16, released March 22nd, 2011 - "... blacklists a few invalid HTTPS certificates."

- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2:.16-fixed
One bug found... bogus certs issued by Comodo partner.

- http://isc.sans.edu/diary.html?storyid=10603
Last Updated: 2011-03-23 18:11:20 UTC

:spider:

AplusWebMaster
2011-04-29, 01:52
FYI...

Firefox v4.0.1 released
From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
April 28, 2011
>Release notes
- http://www.mozilla.com/en-US/firefox/4.0.1/releasenotes/
> Security Advisories
- http://www.mozilla.org/security/known-vulnerabilities/firefox40.html#firefox4.0.1
MFSA 2011-18 XSLT generate-id() function heap address leak
MFSA 2011-17 WebGLES vulnerabilities
MFSA 2011-12 Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19)
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status2.0%3A.1-fixed
55 bugs found.
___

v3.6.17
- http://www.mozilla.com/en-US/firefox/3.6.17/releasenotes/
April 28, 2011
>Help >Check for Updates
-or-
- http://www.mozilla.com/en-US/firefox/all-older.html
> Security Advisories
- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.17
MFSA 2011-18 XSLT generate-id() function heap address leak
MFSA 2011-16 Directory traversal in resource: protocol
MFSA 2011-15 Escalation of privilege through Java Embedding Plugin
MFSA 2011-14 Information stealing via form history
MFSA 2011-13 Multiple dangling pointer vulnerabilities
MFSA 2011-12 Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19)
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.17-fixed
59 bugs found
___

- http://www.securitytracker.com/id/1025456
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
CVE Reference:
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0065 - 10.0
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0066 - "
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0069 - "
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0070 - "
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0072 - "
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0073 - "
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0074 - "
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0075 - "
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0076 - 7.5
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0077 - 10.0
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0078 - "
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0079 - "
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0080 - "
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0081 - "
Version(s): -prior- to 3.5.19, 3.6.17, 4.0.1
Apr 29 2011
___

- https://developer.mozilla.org/devnews/index.php/2011/04/28/firefox-4-0-1-3-6-17-and-3-5-19-security-updates-now-available/
April 28, 2011 - "... This is the last planned security and stability release for Firefox 3.5. All users are encouraged to upgrade..."

:fear:

AplusWebMaster
2011-05-17, 02:00
FYI...

Firefox 5 ...
- http://www.h-online.com/open/news/item/Firefox-5-nears-with-release-candidate-1261711.html
16 June 2011 - "... the final version of Firefox 5 will be released on Tuesday 21 June alongside Firefox 3.6.18 and Thunderbird 3.1.11..."
- https://wiki.mozilla.org/Releases#Firefox_5

- http://secunia.com/advisories/44972/
... The weakness is reported in version 4.0.1. Other versions may also be affected.
Solution: The vendor recommends to disable WebGL. The vendor has scheduled a fix for 2011-06-21...
Original Advisory: Mozilla:
http://blog.mozilla.com/security/2011/06/16/webgl-graphics-memory-stealing-issue/

- http://www.securitytracker.com/id/1025676
Jun 17 2011 ... fix, tentatively scheduled for June 21, 2011...
___

Firefox v3.5 forced upgrade...
- http://isc.sans.org/diary.html?storyid=10885
Last Updated: 2011-05-16 21:39:57 UTC - "With Firefox 4 released not too long ago and Firefox 5 supposed to be released on June 21st... seems to be 12 million users still on Firefox 3.5... Firefox will start issuing warning on Google's default pages for users of version 3.5 and planning to push out 3.6.18 as an update (if auto update is enabled) once Firefox 5 is out... More info*..."
* http://www.theregister.co.uk/2011/05/16/mozilla_firefox_3_5_forced_upgrade/

- https://wiki.mozilla.org/Releases/3.5_EOL#Assumptions
11 May 2011

:fear::spider:

AplusWebMaster
2011-06-21, 20:01
FYI...

Firefox v5.0 released
From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
June 21, 2011
> Release notes
- http://www.mozilla.com/en-US/firefox/5.0/releasenotes/
> Security Advisories
- http://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox5
Bug list
- http://www.mozilla.com/en-US/firefox/5.0/releasenotes/buglist.html
... -long- list...

- http://blog.mozilla.com/blog/2011/06/21/mozilla-delivers-new-version-of-firefox-first-web-browser-to-support-do-not-track-on-multiple-platforms/
June 21, 2011 - "... The latest version of Firefox includes more than 1,000 improvements and performance enhancements..."

- http://secunia.com/advisories/44972/
2011-06-21
Criticality level: Highly critical
Impact: Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote ...
Solution: Upgrade to version 5.0.
Original Advisory: Mozilla:
http://blog.mozilla.com/security/2011/06/16/webgl-graphics-memory-stealing-issue/
http://www.mozilla.org/security/announce/2011/mfsa2011-19.html
http://www.mozilla.org/security/announce/2011/mfsa2011-20.html
http://www.mozilla.org/security/announce/2011/mfsa2011-21.html
http://www.mozilla.org/security/announce/2011/mfsa2011-22.html
http://www.mozilla.org/security/announce/2011/mfsa2011-25.html
http://www.mozilla.org/security/announce/2011/mfsa2011-26.html
http://www.mozilla.org/security/announce/2011/mfsa2011-27.html

- http://www.securitytracker.com/id/1025684
CVE Reference: CVE-2011-0083, CVE-2011-0085, CVE-2011-2362, CVE-2011-2363, CVE-2011-2364, CVE-2011-2365, CVE-2011-2367, CVE-2011-2368, CVE-2011-2369, CVE-2011-2370, CVE-2011-2371, CVE-2011-2373, CVE-2011-2374, CVE-2011-2375, CVE-2011-2376, CVE-2011-2377
Updated: Jun 22 2011
Version(s): prior to 3.6.18, prior to 5...
___

v3.6.18
- http://www.mozilla.com/en-US/firefox/3.6.18/releasenotes/
June 21, 2011
From an admin. account, start Firefox, then >Help >Check for Updates
-or-
- http://www.mozilla.com/en-US/firefox/all-older.html
> Security Advisories
- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.18
Bug list
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.18-fixed
19 bugs found.

- http://secunia.com/advisories/44982/
2011-06-21
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote ...
Solution: Update to Firefox version 3.6.18...
Original Advisory: Mozilla:
http://www.mozilla.org/security/announce/2011/mfsa2011-19.html
http://www.mozilla.org/security/announce/2011/mfsa2011-20.html
http://www.mozilla.org/security/announce/2011/mfsa2011-21.html
http://www.mozilla.org/security/announce/2011/mfsa2011-22.html
http://www.mozilla.org/security/announce/2011/mfsa2011-23.html
http://www.mozilla.org/security/announce/2011/mfsa2011-24.html

:fear:

AplusWebMaster
2011-07-17, 04:27
FYI...

Firefox v5.0.1 released for Mac OS/X...
- http://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox5
June 12, 2011 - "Fixed in Firefox 5.0.1:
Firefox 5.0.1 addresses promblems with recent Mac OS X releases*. It does -not- contain security fixes."
* http://www.mozilla.com/firefox/5.0.1/releasenotes/#whatsnew2
• Worked around an issue in Mac OS X 10.7 that could cause Firefox to crash
• Worked around an issue caused by Apple's "Java for Mac OS X 10.6 Update 5" where the Java plugin would not be loaded

:cleaning:

AplusWebMaster
2011-08-16, 20:44
FYI...

Firefox v6.0 released
From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all.html
August 16, 2011
> Release notes
- https://www.mozilla.com/en-US/firefox/6.0/releasenotes/
What's New...
> https://hacks.mozilla.org/2011/08/firefox6/
Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox6
MFSA 2011-29 Security issues addressed in Firefox 6
- https://www.mozilla.org/security/announce/2011/mfsa2011-29.html
... 8 critical and 2 high severity issues
Bug list
- https://www.mozilla.com/en-US/firefox/6.0/releasenotes/buglist.html
___

Firefox v3.6.20 released
August 16, 2011
From an admin. account, start Firefox, then >Help >Check for Updates
-or-
- https://www.mozilla.com/en-US/firefox/all-older.html
> Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.20
MFSA2011-30 Security issues addressed in Firefox 3.6.20
- https://www.mozilla.org/security/announce/2011/mfsa2011-30.html
Bug list
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.20-fixed
5 bugs found
___

- http://www.securitytracker.com/id/1025938
Aug 16 2011
CVE Reference: CVE-2011-0084, CVE-2011-2378, CVE-2011-2980, CVE-2011-2981, CVE-2011-2982, CVE-2011-2983, CVE-2011-2984, CVE-2011-2985, CVE-2011-2986, CVE-2011-2987, CVE-2011-2988, CVE-2011-2989, CVE-2011-2990, CVE-2011-2991, CVE-2011-2992, CVE-2011-2993
Version(s): 3.6.x prior to 3.6.20; 4.x and 5.x prior to 6
Solution: The vendor has issued a fix (3.6.20, 6)...
- http://www.mozilla.org/security/announce/2011/mfsa2011-29.html
- http://www.mozilla.org/security/announce/2011/mfsa2011-30.html

:fear:

AplusWebMaster
2011-08-31, 15:37
FYI...

- https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/
09.02.11
___

Firefox v6.0.1 released
From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all.html
August 30, 2011
> Release notes
- https://www.mozilla.org/en-US/firefox/6.0.1/releasenotes/
Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox6.0.1
MFSA 2011-34 Protection against fraudulent DigiNotar certificates
- https://www.mozilla.org/security/announce/2011/mfsa2011-34.html
___

Firefox v3.6.21 released
August 30, 2011
From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all-older.html
> Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.21
MFSA 2011-34 Protection against fraudulent DigiNotar certificates
- https://www.mozilla.org/security/announce/2011/mfsa2011-34.html

:fear:

AplusWebMaster
2011-09-07, 00:47
FYI...

Firefox v6.0.2 released
From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all.html
September 6, 2011
> Release notes
- https://www.mozilla.org/en-US/firefox/6.0.2/releasenotes/
Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox6.0.2
MFSA 2011-35 Additional protection against fraudulent DigiNotar certificates
- https://www.mozilla.org/security/announce/2011/mfsa2011-35.html
___

Firefox v3.6.22 released
September 6, 2011
From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all-older.html
> Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.22
MFSA 2011-35 Additional protection against fraudulent DigiNotar certificates
- https://www.mozilla.org/security/announce/2011/mfsa2011-35.html

:fear:

AplusWebMaster
2011-09-27, 23:54
FYI...

Firefox v7.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all.html
September 27, 2011
> Release notes
- https://www.mozilla.org/en-US/firefox/7.0/releasenotes/
Security Advisories - Fixed in Firefox 7
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox7
Bugs fixed
- https://www.mozilla.org/en-US/firefox/7.0/releasenotes/buglist.html

- https://blog.mozilla.com/blog/2011/09/27/mozilla-firefox-significantly-reduces-memory-use-to-make-web-browsing-faster/
September 27, 2011

- https://secunia.com/advisories/46171/
Release Date: 2011-09-28
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote...
Solution: Upgrade to version 7.0.

- http://www.securitytracker.com/id/1026121
CVE Reference: CVE-2011-2372, CVE-2011-2995, CVE-2011-2996, CVE-2011-2997, CVE-2011-2998, CVE-2011-2999, CVE-2011-3000, CVE-2011-3001, CVE-2011-3002, CVE-2011-3003, CVE-2011-3004, CVE-2011-3005, CVE-2011-3232
... prior to 3.6.23; 6.x
Updated: Sep 29 2011

- http://h-online.com/-1350870
28 September 2011
___

Firefox v3.6.23 released
September 27, 2011
From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all-older.html
Security Advisories- Fixed in Firefox 3.6.23
- https://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.23
Bugs fixed
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.23-fixed

- https://secunia.com/advisories/46203/
Release Date: 2011-09-28
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote...
Solution: Update to version 3.6.23.

:spider:

AplusWebMaster
2011-09-30, 16:45
FYI...

Firefox v7.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all.html
September 29, 2011
Issue discovered with Firefox add-on upgrades
- https://blog.mozilla.com/addons/2011/09/28/issue-discovered-with-firefox-add-on-upgrades/
"... some users may have one or more of their add-ons hidden after upgrading to the latest Firefox version, affecting both desktop and mobile. These add-ons and their data are still intact and haven’t actually been removed... update to Firefox will fix this and restore any hidden add-ons..."
> https://support.mozilla.com/en-US/kb/add-ons-hidden-after-updating-firefox-7
> https://addons.mozilla.org/en-US/firefox/addon/fx7-recovery/

Release notes
- https://www.mozilla.org/en-US/firefox/7.0.1/releasenotes/

:fear:

AplusWebMaster
2011-11-08, 22:49
FYI...

Firefox v8.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all.html
November 8, 2011

- https://www.mozilla.org/en-US/firefox/8.0/releasenotes/
Security Advisories :
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox8
Fixed in Firefox 8:
MFSA 2011-52 Code execution via NoWaiverWrapper
MFSA 2011-51 Cross-origin image theft on Mac with integrated Intel GPU
MFSA 2011-50 Cross-origin data theft using canvas and Windows D2D
MFSA 2011-49 Memory corruption while profiling using Firebug
MFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0)
MFSA 2011-47 Potential XSS against sites using Shift-JIS
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3649 - 2.6
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3653 - 5.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3650 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3655 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3651 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3652 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3654 - 10.0 (HIGH)
CVSS v2 Base Score: 10.0 (HIGH)
"... Firefox before 8.0..."

Bugs fixed
- https://www.mozilla.org/en-US/firefox/8.0/releasenotes/buglist.html
___

Firefox v3.6.24 released
November 8, 2011
From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all-older.html
Security Advisories:
- https://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.24
Fixed in Firefox 3.6.24:
MFSA 2011-49 Memory corruption while profiling using Firebug
MFSA 2011-47 Potential XSS against sites using Shift-JIS
MFSA 2011-46 loadSubScript unwraps XPCNativeWrapper scope parameter (1.9.2 branch)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3648 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3647 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3650 - 9.3 (HIGH)
CVSS v2 Base Score: 9.3 (HIGH)
"... Firefox before 3.6.24..."

Bugs fixed
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.24-fixed
___

- https://secunia.com/advisories/46773/
Release Date: 2011-11-09
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote ...
Solution: Upgrade to version 8.0...

- https://secunia.com/advisories/46757/
Release Date: 2011-11-09
Criticality level: Highly critical
Impact: Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote ...
Solution: Update to Firefox version 3.6.24 ...

- http://www.securitytracker.com/id/1026298
Date: Nov 9 2011
CVE Reference: CVE-2011-3647, CVE-2011-3648, CVE-2011-3649, CVE-2011-3650, CVE-2011-3651, CVE-2011-3652, CVE-2011-3653, CVE-2011-3654, CVE-2011-3655
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network...
Solution: The vendor has issued a fix (3.6.24, 8.0)...

:fear::fear:

AplusWebMaster
2011-12-21, 02:56
FYI...

Firefox v9.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all.html
December 20, 2011

- https://www.mozilla.org/en-US/firefox/9.0/releasenotes/
Security Advisories:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox9
Fixed in Firefox 9:
MFSA 2011-58 Crash scaling <video> to extreme sizes
MFSA 2011-57 Crash when plugin removes itself on Mac OS X
MFSA 2011-56 Key detection without JavaScript via SVG animation
MFSA 2011-55 nsSVGValue out-of-bounds access
MFSA 2011-54 Potentially exploitable crash in the YARR regular expression library
MFSA 2011-53 Miscellaneous memory safety hazards (rv:9.0)

Bugs fixed
- https://www.mozilla.org/en-US/firefox/9.0/releasenotes/buglist.html

- https://secunia.com/advisories/47302/
Release Date: 2011-12-21
Criticality level: Highly critical
Impact: Unknown, Exposure of sensitive information, System access
Where: From remote
CVE Reference(s):
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3658 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3660 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3661 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3663 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3664 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3665 - 7.5 (HIGH)
Last revised: 12/21/2011
... exploitation of vulnerabilities... may allow execution of arbitrary code.
Solution: Upgrade to version 9.0.

- http://www.securitytracker.com/id/1026445
Dec 21 2011
___

Firefox v3.6.25 released
December 20, 2011
From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- https://www.mozilla.com/en-US/firefox/all-older.html
Security Advisories:
- https://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.25
Fixed in Firefox 3.6.25:
MFSA 2011-59 .jar not treated as executable in Firefox 3.6 on Mac

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3666
Last revised: 12/21/2011
CVSS v2 Base Score: 6.8 (MEDIUM)
"... Firefox before 3.6.25..."

Bugs fixed
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.25-fixed

.

AplusWebMaster
2011-12-22, 06:37
FYI...

- https://wiki.mozilla.org/Releases#Firefox_10
"... Firefox 10... January 31, 2012..."
___

Firefox v9.0.1 ?
- https://www.mozilla.org/en-US/firefox/9.0.1/releasenotes/buglist.html
December 21st, 2011

- http://forums.mozillazine.org/viewtopic.php?f=7&t=2391989
Dec. 21 4:51 pm - "... 9.0.1 the next day?... Apparently Mac users were experiencing crashes on startup..."

- https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/9.0.1-candidates/build1/
Index of /pub/mozilla.org/firefox/nightly/9.0.1-candidates/build1

- https://bugzilla.mozilla.org/show_bug.cgi?id=711794#c96
2011-12-21 19:17:51 PST
___

Mozilla and Google Sign New Agreement for Default Search in Firefox
- https://blog.mozilla.com/blog/2011/12/20/mozilla-and-google-sign-new-agreement-for-default-search-in-firefox/
December 20, 2011 - "... we have negotiated a significant and mutually beneficial revenue agreement with Google. This new agreement extends our long term search relationship with Google for at least three additional years..."

- http://h-online.com/-1400943
23 December 2011

:secret:

AplusWebMaster
2012-01-31, 20:39
FYI...

Firefox v10.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- https://www.mozilla.com/firefox/all.html
Jan 31, 2012

What's new...
- https://www.mozilla.org/en-US/firefox/10.0/releasenotes/
Release Notes/Bug fixes ... complete list of changes in this release.
- https://www.mozilla.org/en-US/firefox/10.0/releasenotes/buglist.html
Security Advisories:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox10
Fixed in Firefox 10
MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
MFSA 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure
MFSA 2012-05 Frame scripts calling into untrusted objects bypass security checks
MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
MFSA 2012-03 <iframe> element exposed across domains via name attribute
MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

- http://www.securitytracker.com/id/1026605
Updated: Feb 1 2012
CVE Reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3659 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0442 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0443 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0444 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0445 - 5.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0446 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0447 - 5.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0449 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0450 - 2.1
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Version(s): prior to 3.2.26; prior to 10.0

- http://www.securitytracker.com/id/1026608
Date: Feb 1 2012
CVE Reference: CVE-2011-3670
Impact: Disclosure of system information, Disclosure of user information
Version(s): prior to 3.6.26, prior to 7.0

- https://secunia.com/advisories/47816/
Release Date: 2012-02-01
Criticality level: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote...
Solution: Upgrade to Firefox version 10.0...

- https://secunia.com/advisories/47839/
Release Date: 2012-02-01
Criticality level: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote...
Solution: Update to Firefox version 3.6.26...

- http://h-online.com/-1425611
31 January 2012
___

Firefox v3.6.26 released
Jan 31, 2012

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- https://www.mozilla.com/firefox/all-older.html
Security Advisories:
- https://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.26
Fixed in Firefox 3.6.26:
MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
MFSA 2012-02 Overly permissive IPv6 literal syntax
MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

Bugs fixed
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.26-fixed

.

AplusWebMaster
2012-02-11, 02:13
FYI...

Firefox v10.0.1 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- https://www.mozilla.com/firefox/all.html

- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox10.0.1
Impact: Critical
Feb 10, 2012
Fixed in Firefox 10.0.1:
MFSA 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings

- https://www.mozilla.org/security/announce/2012/mfsa2012-10.html
References:
. use after free in nsXBLDocumentInfo::ReadPrototypeBindings
. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0452 - 7.5 (HIGH)
Last revised: 02/13/2012 - "... allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code..."
__

- https://secunia.com/advisories/48008/
Release Date: 2012-02-13
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference: CVE-2012-0452
Solution:
Update Firefox and Thunderbird to version 10.0.1 and SeaMonkey to version 2.7.1

- http://www.securitytracker.com/id/1026663
Date: Feb 13 2012
CVE Reference: CVE-2012-0452
Impact: Execution of arbitrary code via network, User access via network
Solution: The vendor has issued a fix (10.0.1).

:fear:

AplusWebMaster
2012-02-17, 20:05
FYI...

Firefox v10.0.2 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download:
- https://www.mozilla.com/firefox/all.html

- https://www.mozilla.org/security/announce/2012/mfsa2012-11.html
Impact:Critical
Fixed in: Firefox 10.0.2 or 3.6.27**, Thunderbird 10.0.2 or 3.1.19, or SeaMonkey 2.7.2.
** https://www.mozilla.org/en-US/firefox/all-older.html

Mozilla release to address CVE-2011-3026
- https://blog.mozilla.com/security/2012/02/17/mozilla-releases-to-address-cve-2011-3026/
2.17.12 - Issue: The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages.
Impact to users: This bug is remotely exploitable and can lead to arbitrary code execution. Firefox, Thunderbird and Seamonkey users could be attacked simply by displaying a maliciously crafted image.
Status: Mozilla is aware of this bug and has issued a fix that will be released today for Firefox -and- Thunderbird*.
Credit: The bug was reported by RedHat representatives..."

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3026 - 7.5 (HIGH)
Last revised: 02/17/2012 - "Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation..."

* https://www.mozilla.org/thunderbird/10.0.2/releasenotes/
v. 10.0.2, released: Feb 16, 2012
___

Firefox...
- http://www.securitytracker.com/id/1026707
Date: Feb 18 2012
CVE Reference: CVE-2011-3026
Version(s): ... prior to 3.6.27; prior to 10.0.2...
Impact: A remote user can create a PNG image that, when loaded by the target user, will execute arbitrary code on the target user's system...

Thunderbird...
- http://www.securitytracker.com/id/1026706
Date: Feb 18 2012
CVE Reference: CVE-2011-3026
Version(s): ... prior to 3.1.19; prior to 10.0.2
Impact: A remote user can create a PNG image that, when loaded by the target user, will execute arbitrary code on the target user's system...

- https://secunia.com/advisories/48089/
Release Date: 2012-02-17
Criticality level: Highly critical
Impact: System access
Where: From remote...
Solution: Update to Firefox 10.0.2 or 3.6.27, Thunderbird 10.0.2 or 3.1.19, or SeaMonkey 2.7.2.
Original Advisory: Mozilla:
http://www.mozilla.org/security/announce/2012/mfsa2012-11.html
http://blog.mozilla.com/security/2012/02/17/mozilla-releases-to-address-cve-2011-3026/

Vuln in libpng ...
- http://h-online.com/-1436810
17 Feb 2012

>> https://secunia.com/advisories/48026/

:fear::fear:

AplusWebMaster
2012-03-14, 02:51
FYI...

Firefox v11.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download: https://www.mozilla.com/firefox/all.html
March 13, 2012

What's new...
- https://www.mozilla.org/firefox/11.0/releasenotes/
Release Notes/Bug fixes ... See: Known Issues...
Complete list of changes in this release:
- https://www.mozilla.org/firefox/11.0/releasenotes/buglist.html
Security Advisories:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox11
Fixed in Firefox 11
MFSA 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
MFSA 2012-18 window.fullScreen writeable by untrusted content
MFSA 2012-17 Crash when accessing keyframe cssText after dynamic modification
MFSA 2012-16 Escalation of privilege with Javascript: URL as home page
MFSA 2012-15 XSS with multiple Content Security Policy headers
MFSA 2012-14 SVG issues found with Address Sanitizer
MFSA 2012-13 XSS with Drag and Drop and Javascript: URL
MFSA 2012-12 Use-after-free in shlwapi.dll

- https://secunia.com/advisories/48402/
Release Date: 2012-03-14
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote
CVE Reference(s): CVE-2012-0451, CVE-2012-0454, CVE-2012-0455, CVE-2012-0456 CVSS, CVE-2012-0457, CVE-2012-0458, CVE-2012-0459, CVE-2012-0460, CVE-2012-0461, CVE-2012-0462, CVE-2012-0463, CVE-2012-0464
Solution: Update or upgrade to Firefox versions 11.0 or 10.0.3, Thunderbird versions 11.0 or 10.0.3, and SeaMonkey version 2.8.

- http://www.securitytracker.com/id/1026801
Date: Mar 14 2012
CVE Reference: CVE-2012-0451, CVE-2012-0454, CVE-2012-0455, CVE-2012-0456, CVE-2012-0457, CVE-2012-0458, CVE-2012-0459, CVE-2012-0460, CVE-2012-0461, CVE-2012-0462, CVE-2012-0463, CVE-2012-0464
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Version(s): prior to 11
Solution: The vendor has issued a fix (3.6.28, ESR 10.0.3, 11.0)...
___

Firefox v3.6.28 released
March 13, 2012

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download: https://www.mozilla.com/firefox/all-older.html

- https://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.28
Fixed in Firefox 3.6.28

- https://secunia.com/advisories/48414/
Release Date: 2012-03-14
Criticality level: Highly critical
Impact: Cross Site Scripting, System access
Where: From remote
CVE Reference(s): CVE-2012-0455, CVE-2012-0456, CVE-2012-0457, CVE-2012-0458, CVE-2012-0461, CVE-2012-0464
Original Advisory:
http://www.mozilla.org/security/announce/2012/mfsa2012-13.html
http://www.mozilla.org/security/announce/2012/mfsa2012-14.html
http://www.mozilla.org/security/announce/2012/mfsa2012-16.html
http://www.mozilla.org/security/announce/2012/mfsa2012-19.html
Solution: Update to Firefox version 3.6.28 and Thunderbird version 3.1.20.

:fear::fear:

AplusWebMaster
2012-03-27, 11:20
FYI...

Firefox 3.6.x EOL
- http://h-online.com/-1479643
26 March 2012 - "The Mozilla Project has announced* that... the 3.6.x branch of its open source Firefox web browser will reach its end of life on Tuesday 24 April... from that date onwards, no new updates, including security updates and critical fixes, will be released for Firefox 3.6.x... version 3.6.28 from earlier this month will be the final 3.6.x release of Firefox... All Firefox 3.6.x users are strongly advised to upgrade..."
* http://blog.mozilla.com/futurereleases/2012/03/23/upcoming-firefox-support-changes/

- https://wiki.mozilla.org/Releases#Upcoming_Releases
"Firefox 12... Moves to RELEASED on April 24, 2012..."

:fear:

AplusWebMaster
2012-04-03, 21:45
FYI...

Firefox blocklist now includes vulnerable Java versions...
- https://www.computerworld.com/s/article/9225800/Mozilla_adds_vulnerable_Java_plug_in_versions_to_Firefox_blocklist
April 3, 2012 - "Mozilla has blacklisted* unpatched versions of the Java plug-in from Firefox on Windows in order to protect its users from attacks that exploit known vulnerabilities in those versions. Mozilla can add extensions or plug-ins to the Firefox add-on blocklist if they cause significant security or performance issues. Firefox installations automatically query the blocklist and notify users before disabling the targeted add-ons..."
* https://blog.mozilla.com/addons/2012/04/02/blocking-java/
"... vulnerability - present in the older versions of the JDK and JRE - is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist**. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms..."
** https://addons.mozilla.org/en-US/firefox/blocked/p80

- https://bugzilla.mozilla.org/show_bug.cgi?id=739955

:fear:

AplusWebMaster
2012-04-24, 23:56
FYI...

Firefox v12.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates
-or-
Download: https://www.mozilla.com/firefox/all.html
April 24, 2012

What's new...
- https://www.mozilla.org/firefox/12.0/releasenotes/
Release Notes/Bug fixes ... See: Known Issues...
Complete list of changes in this release:
- https://www.mozilla.org/firefox/12.0/releasenotes/buglist.html
Security Advisories:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox12
Fixed in Firefox 12
MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds
MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors
MFSA 2012-31 Off-by-one error in OpenType Sanitizer
MFSA 2012-30 Crash with WebGL content using textImage2D
MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions
MFSA 2012-27 Page load short-circuit can lead to XSS
MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error
MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite
MFSA 2012-24 Potential XSS via multibyte content processing errors
MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface
MFSA 2012-22 use-after-free in IDBKeyRange
MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9
MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)
___

- http://h-online.com/-1546370
24 April 2012
> http://www.h-online.com/security/news/item/Firefox-12-released-can-now-update-itself-1546370.html?view=zoom;zoom=3
___

- https://secunia.com/advisories/48932/
Release Date: 2012-04-25
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, System access
Where: From remote...
Solution: Upgrade to Firefox version 12.0 and Thunderbird version 12.0...

- http://www.securitytracker.com/id/1026971
Date: Apr 24 2012
CVE Reference::
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1187 - 5.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0467 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0468 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0469 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0470 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0471 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0472 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0473 - 5.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0474 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0475 - 2.6
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0477 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0478 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0479 - 4.3
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Version(s): prior to 12.0...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with a target site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A remote user can spoof certain web sites.
A remote user can obtain potentially sensitive information...

.

AplusWebMaster
2012-05-02, 19:11
FYI...

Firefox add-on ShowIP - privacy concerns
- http://nakedsecurity.sophos.com/2012/05/01/privacy-concern-showip-firefox-add-on/
May 1, 2012 - "A popular Firefox add-on appears to have started leaking private information about every website that users visit to a third-party server, including sensitive data which could identify individuals or reduce their security... What the add-on's description doesn't say is that since version 1.3 (released on April 19th 2012) it has also sent - unencrypted - the full URL of sites visited using HTTPS, and sites viewed in Private Browsing mode, to a site called ip2info .org. The user never realises that the data has been shared with a third-party, unless they use special tools to monitor what data is being sent from their computer... The full URL of -every- webpage visited is sent to the Germany-based ip2info .org website, using unencrypted connections. In addition, the add-on has no warning that sites you visit might be disclosed, no privacy policy small print explaining its behaviour, and no apparent way to opt-out of the data-sharing... And who appears to have registered the domain? A Berlin-based link marketing firm. Hmm...
Update: Mozilla has rolled the version of ShowIP they make available on their add-on site back to 1.0. They say they are working with the developer on correcting the issue. Hopefully in future their review process will flag privacy issues like this one to prevent users' data being potentially exposed."

:sad: :fear: