Firefox updates

[AplusWebMaster]

FYI...

Firefox v2.0.0.20 released
- http://www.mozilla.com/en-US/firefox/all-older.html
December 18, 2008

Release Notes:
- http://www.mozilla.com/en-US/firefox.../releasenotes/
Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3.
Firefox 2.0.0.20 does not include Phishing Protection.
- http://www.mozilla.com/en-US/firefox...enotes/#issues

Security Update:
- http://www.mozilla.com/en-US/firefox.../releasenotes/
Firefox 2.0.0.20 includes an additional security fix over Firefox 2.0.0.19 for users of the Windows platform. The following security issue* was fixed.

* http://www.mozilla.org/security/know...irefox2.0.0.20
MFSA 2008-65 Cross-domain data theft via script redirect error message (Windows)
- http://preview.tinyurl.com/3mvadg
"...Mozilla omitted one of the security patches that was supposed to be included in the Windows version of Tuesday's Firefox 2.0 .0.19 release..."

Firefox 3
- http://secunia.com/advisories/33203/
...Solution: Update to version 3.0.5.
http://www.mozilla.com/en-US/product...=firefox-3.0.5

[AplusWebMaster]

FYI...

Firefox v3.0.6 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.6
- http://www.mozilla.com/firefox/all.html

Security Advisories for Firefox v3.0.6
- http://www.mozilla.org/security/know...l#firefox3.0.6
Fixed in Firefox 3.0.6
MFSA 2009-06 Directives to not cache pages ignored
MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies
MFSA 2009-04 Chrome privilege escalation via local .desktop files
MFSA 2009-03 Local file stealing with SessionStore
MFSA 2009-02 XSS using a chrome XBL method and window.eval
MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)

- http://secunia.com/advisories/33799/
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x...

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0352
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0353
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0354
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0355
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0356
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0357
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0358

[AplusWebMaster]

FYI...

Firefox v3.0.7 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.7
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 3.0.7
- http://www.mozilla.org/security/know...l#firefox3.0.7
MFSA 2009-11 URL spoofing with invisible control characters
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-08 Mozilla Firefox XUL Linked Clones Double Free Vulnerability
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0771
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0772
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0773
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0774
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0775
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0776

- http://secunia.com/advisories/34145/2/
Release Date: 2009-03-05
Critical: Highly critical
Impact: Security Bypass, Spoofing, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.7 ...

[AplusWebMaster]

FYI...

Firefox v3.0.8 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.8
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 3.0.8
- http://www.mozilla.org/security/know...l#firefox3.0.8
MFSA 2009-13 Arbitrary code execution through XUL <tree> element
MFSA 2009-12 XSL Transformation vulnerability

- http://secunia.com/advisories/34471/2/
Last Update: 2009-03-28
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.8...

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1044
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1169

[AplusWebMaster]

FYI...

Firefox v3.0.9 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.9
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 3.0.9
- http://www.mozilla.org/security/know...l#firefox3.0.9
MFSA 2009-22 Firefox allows Refresh header to redirect to javascript: URIs
MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame
MFSA 2009-20 Malicious search plugins can inject code into arbitrary sites
MFSA 2009-19 Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString
MFSA 2009-18 XSS hazard using third-party stylesheets and XBL bindings
MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme
MFSA 2009-16 jar: scheme ignores the content-disposition: header on the inner URI
MFSA 2009-15 URL spoofing with box drawing character
MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

- http://secunia.com/advisories/34758/2/
Release Date: 2009-04-22
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.9...
CVE reference:
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1302
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1303
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1304
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1305
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1306
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1307
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1308
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1309
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1310
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1311
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-1312

[AplusWebMaster]

FYI...

Firefox v3.0.10 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.10
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 3.0.10
- http://www.mozilla.org/security/know...#firefox3.0.10
MFSA 2009-23 Crash in nsTextFrame::ClearTextRun()

- http://cve.mitre.org/cgi-bin/cvename...=CVE-2009-1313

- http://secunia.com/advisories/34866/2/
Release Date: 2009-04-28
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.10...
Original Advisory: http://www.mozilla.org/security/anno...sa2009-23.html

[AplusWebMaster]

FYI...

Firefox v3.0.11 released

From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.11
- http://www.mozilla.com/firefox/all.html

Fixed in Firefox 3.0.11
- http://www.mozilla.org/security/know...#firefox3.0.11
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-31 XUL scripts bypass content-policy checks
MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-26 Arbitrary domain cookie access by local file: resources
MFSA 2009-25 URL spoofing with invalid unicode characters
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)

- http://secunia.com/advisories/35331/2/
Release Date: 2009-06-12
Critical: Highly critical
Impact: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.x ...
Solution: Update to version 3.0.11 ...

.

[AplusWebMaster]

FYI...

- http://support.mozilla.com/en-US/kb/...refox+3%C2%B75
"... To upgrade from Firefox 3.0.x, open the Help menu (from an Admin account) and click Check for Updates..."
(NOTE: Some add-on's may not be compatible until they are updated*)
-OR-
Firefox v.3.5 released / Download
- http://www.mozilla.com/firefox/firefox.html
June 30th, 2009

Release Notes / *Known issues
- http://www.mozilla.com/firefox/3.5/releasenotes/

Security & Privacy
- http://www.mozilla.com/firefox/features/#security

Video
- http://www.mozilla.com/firefox/video/?video=security

- http://www.f-secure.com/weblog/archives/00001712.html
July 1, 2009 - "... when I installed Firefox 3.5 the Private Browsing option was disabled. What?..."

Firefox v3.5.1 patch to be released...
- http://www.theregister.co.uk/2009/07...firefox_3_5_1/
3 July 2009
___

- https://wiki.mozilla.org/WeeklyUpdat...erbird_2.0.0.x
Firefox 3.0.12
* Code frozen as of Thursday last week
* Targeting mid/late-July release ...

- http://www.computerworld.com/action/...icleId=9135001
June 30, 2009 - "... the kill date for Version 3.0 will be Dec. 31, 2009..."

[AplusWebMaster]

FYI...

Firefox memory corruption vuln - unpatched
- http://secunia.com/advisories/35798/2/
Release Date: 2009-07-14
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Mozilla Firefox 3.5.x
Solution: Do not browse untrusted websites or follow untrusted links...
Original Advisory: http://milw0rm.com/exploits/9137 ...

- http://www.us-cert.gov/current/#mozi..._vulnerability
July 14, 2009

Per: http://voices.washingtonpost.com/sec...cal_firef.html
July 14, 2009 - "... Fortunately, there is a relatively easy fix for this that can be reversed once Mozilla issues a patch. To disable the vulnerable component, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar. In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content". You should notice that beside that setting it reads "true," meaning the setting is enabled. If you just double-click on that setting, it should disable it, changing the option to "false." That's it.
Note that making this change will slow down Javascript rendering in Firefox 3.5 to 3.0 speeds, but that may be a worthwhile trade-off for readers concerned about the availability of exploit code for this flaw."
... 'Glad that Brian Krebs guy is around. :-)
Edit/add: Also found (later) here:
- http://blog.mozilla.com/security/200...in-firefox-35/

- https://isc.sans.org/diary.html?storyid=6796
Last Updated: 2009-07-16 17:54:23 UTC ...(Version: 4) - "... this exploit has been spotted in the wild. The attacked just used Metasploit to create it and put a PoisonIvy client as the payload. Unfortunately, the payload has been packed with a packer that prevented some AV vendors so the detection isn't all that great..."

[AplusWebMaster]

FYI...

Firefox v3.5.1 released

From an admin account, start Firefox, then >Help >Check for Updates
-OR-

Download Firefox v3.5.1
- http://www.mozilla.com/firefox/all.html

Complete list of changes in this version
- https://bugzilla.mozilla.org/buglist...erified1.9.1.1
> 22 bugs found.

- http://www.mozilla.org/security/anno...sa2009-41.html
July 16, 2009

- http://isc.sans.org/diary.html?storyid=6817
Last Updated: 2009-07-17 07:17:02 UTC - "... if you applied the workaround by disabling the JIT in about:config, remember to turn it back on"

- http://www.mozilla.com/en-US/firefox.../releasenotes/
Installing... Please note that installing Firefox 3.5 will overwrite your existing installation of Firefox. You won’t lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available. You can reinstall an older version later if you wish to downgrade.
> http://www.mozilla.com/firefox/all-older.html
___

> https://wiki.mozilla.org/WeeklyUpdat...erbird_2.0.0.x
2009-07-13
• Firefox 3.0.12 ...
* final ship next week