Firefox updates

**AplusWebMaster** · 2009-07-18, 19:01

FYI...

NEW vuln - FireFox 3.5.1 confirmed, exploit PoC, no patch
- http://isc.sans.org/diary.html?storyid=6829
Last Updated: 2009-07-18 15:04:23 UTC - "Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available."
Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability
> http://www.securityfocus.com/bid/35707/
CVE-2009-2479
> http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-2479
Last revised: 07/16/2009
CVSS v2 Base Score: 10.0 (HIGH)
>> http://xforce.iss.net/xforce/xfdb/51729
Reported: July 15, 2009
>> http://www.milw0rm.com/exploits/9158
[2009-07-15]

milw0rm 9158 “stack overflow” crash not exploitable (CVE-2009-2479)
- http://blog.mozilla.com/security/200...cve-2009-2479/
07.19.09 - "In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is -not-, and we have seen no example of exploitability... we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly."

**AplusWebMaster** · 2009-07-22, 03:04

FYI...

Firefox v3.0.12 released
From an admin account, start Firefox, then >Help >Check for Updates
-or-

Download Firefox v3.0.12
- http://www.mozilla.com/firefox/all-older.html

- http://www.mozilla.org/security/know...#firefox3.0.12
Fixed in Firefox 3.0.12
MFSA 2009-40 Multiple cross origin wrapper bypasses
MFSA 2009-39 setTimeout loses XPCNativeWrappers
MFSA 2009-37 Crash and remote code execution using watch and __defineSetter__ on SVG element
MFSA 2009-36 Heap/integer overflows in font glyph rendering libraries
MFSA 2009-35 Crash and remote code execution during Flash player unloading
MFSA 2009-34 Crashes with evidence of memory corruption (rv:1.9.1/1.9.0.12)

- http://secunia.com/advisories/35914/2/
Release Date: 2009-07-22
Critical: Highly critical
Impact: System access, Cross Site Scripting
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x ...
Solution: Update to version 3.0.12 ...

**tashi** · 2009-08-04, 07:57

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/en-US/firefox/all.html

Release Notes: http://www.mozilla.com/en-US/firefox.../releasenotes/

Firefox 3.5.2 fixes the following issues:

Several security issues.
Images with ICC profiles now render properly on all monitors.

___

Firefox v3.0.13 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/en-US/firefox/all-older.html

Release Notes: http://www.mozilla.com/en-US/firefox.../releasenotes/

Firefox 3.0.13 fixes the following issues:
- http://www.mozilla.org/security/know...#firefox3.0.13

- http://secunia.com/advisories/36001/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: System access, Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x ...
Solution: Update to version 3.5.2 or 3.0.13...

- http://secunia.com/advisories/36088/2/
Last Update: 2009-08-07
Critical: Highly critical
Impact: Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x
Solution: Update to version 3.0.13...
___

* https://wiki.mozilla.org/WeeklyUpdat...erbird_2.0.0.x
• short cycle release to fix new issues announced at BlackHat and Defcon
___

- http://www.eset.com/threat-center/bl...y-less-privacy
August 6, 2009 - "... a few days ago when I allowed Firefox to update to fix security vulnerabilities my privacy settings were reset to less private settings. I had Firefox set to clear the history on exit, and prompt me. I also had it set not to accept third party cookies. After the upgrade the settings were reset to defaults. I simply happened to notice that I wasn’t prompted when I closed Firefox... This is not a behavior that should be happening. Perhaps my computer is an anomaly and there is a conflict... At any rate, it is always a good idea to check the settings of your programs periodically, and especially after an update..."

**AplusWebMaster** · 2009-09-05, 00:41

FYI...

Firefox will check Flash...
- http://blog.mozilla.com/security/200...ugins-updated/
September 04, 2009 - "Starting with the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14, Mozilla will warn users if their version of the popular Adobe Flash Player plugin is out of date. Old versions of plugins can cause crashes and other stability problems, and can also be a significant security risk. For now our focus is on the Adobe Flash Player both because of its popularity and because some studies have shown that as many as 80% of users currently have an out of date version*..."
* http://blogs.zdnet.com/security/?p=4097

- https://wiki.mozilla.org/WeeklyUpdat...erbird_2.0.0.x
WeeklyUpdates/2009-08-31
• Firefox 3.0.14 / Firefox 3.5.3
> on track for release next week

**AplusWebMaster** · 2009-09-10, 03:18

FYI...

Firefox v3.5.3 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.3, released September 9, 2009

- http://www.mozilla.org/security/know...l#firefox3.5.3
Fixed in Firefox 3.5.3
MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
___

Firefox v3.0.14 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all-older.html
v3.0.14, released September 9, 2009

- http://www.mozilla.org/security/know...#firefox3.0.14
Fixed in Firefox 3.0.14
MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-48 Insufficient warning for PKCS11 module installation and removal
MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
___

- http://secunia.com/advisories/36671/2/
Release Date: 2009-09-10
Critical: Highly critical
Impact: Security Bypass, Spoofing, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x ...
Solution: Update to version 3.0.14 or 3.5.3...

CVE reference:
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3069
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3070
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3071
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3072
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3073
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3074
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3075
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3076
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3077
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3078
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3079

.

**AplusWebMaster** · 2009-09-17, 13:26

FYI...

- http://www.channelregister.co.uk/200...nerable_flash/
17 September 2009 - "... Of the 6 million or so people who upgraded to either 3.5.3 or 3.0.14 of Firefox on its debut last Thursday, slightly more than 3 million of them were found to be running an outdated Flash version, according to Mozilla's Ken Kovash*. Sadly, only about 35 percent of those informed they had an insecure installation clicked on a link to upgrade to the latest version..."
* http://blog.mozilla.com/metrics/2009...upgrade-flash/

**AplusWebMaster** · 2009-10-18, 13:54

FYI...

Firefox blocks MS add-on to tighten security
- http://www.f-secure.com/weblog/archives/00001794.html
October 17, 2009

// http://www.mozilla.com/plugincheck/

.NET Framework Assistant Blocked to Disarm Security Vulnerability
* http://blog.mozilla.com/security/200...vulnerability/
10.16.09 - "... Mike Shaver, Mozilla’s Vice President of Engineering writes: I’ve previously posted** about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on. Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)"
** http://shaver.off.net/diary/2009/06/...ckonce-add-on/
02 June 2009

- http://support.microsoft.com/kb/963707
Last Review: June 2, 2009 - Revision: 2.3

- http://voices.washingtonpost.com/sec...tly_insta.html
May 29, 2009 - "... to Microsoft - this is a great example of how not to convince people to trust your security updates..."

**AplusWebMaster** · 2009-10-19, 15:42

'Wish somebody would make up their mind!

- http://shaver.off.net/diary/2009/10/...ort-unblocked/
18 October 2009 - "We received confirmation from Microsoft this evening that the Framework Assistant add-on is -not- a mechanism for exploiting the vulnerabilities detailed in the earlier post*, so we’ve removed it from the blocklist. As the blocklist update propagates to clients, the add-on should be re-enabled for users who had it previously enabled.
We’re hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist, and I’m working on a post to clarify the events of the past few days..."
* http://blog.mozilla.com/security/200...vulnerability/
10.16.09

- http://www.theregister.co.uk/2009/10...security_flap/
19 October 2009
- http://www.theinquirer.net/inquirer/...microsoft-plug
19 October 2009
- http://www.h-online.com/security/new...on-832309.html
19 October 2009

- http://www.securityfocus.com/brief/1024
2009-10-20

- https://bugzilla.mozilla.org/show_bug.cgi?id=522777
Last: 2009-10-20

**AplusWebMaster** · 2009-10-28, 03:10

FYI...

Firefox v3.5.4 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.4, released October 27, 2009

- http://www.mozilla.org/security/know...l#firefox3.5.4
Fixed in Firefox 3.5.4
MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-54 Crash with recursive web-worker calls
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing
___

Firefox v3.0.15 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all-older.html
v3.0.15, released October 27, 2009

- http://www.mozilla.org/security/know...#firefox3.0.15
Fixed in Firefox 3.0.15
MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing
___

- http://secunia.com/advisories/36711/2/
Release Date: 2009-10-28
Critical: Highly critical
Impact: Security Bypass, Manipulation of data, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x
Solution: Update to version 3.0.15 or 3.5.4...
CVE reference:
CVE-2009-1563, CVE-2009-3370, CVE-2009-3371, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3377, CVE-2009-3378, CVE-2009-3379, CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383

**AplusWebMaster** · 2009-11-06, 05:58

FYI...

Firefox v3.5.5 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.5, released Nov. 5, 2009

- http://www.mozilla.com/en-US/firefox.../releasenotes/
"Firefox 3.5.5 fixes the following issues: Fixed several stability issues..."

Complete list of changes in this version
- https://bugzilla.mozilla.org/buglist...9.1%3A.5-fixed
Thu Nov 5 2009 20:44:32 PST

Thread: Firefox updates

Thread Tools

Display

NEW vuln - FireFox 3.5.1 confirmed, exploit PoC, no patch

Firefox v3.0.12 released

Firefox 3.5.2 released

Firefox will check Flash

Firefox v3.5.3 / v3.0.14 released

Firefox users w-insecure Flash

Firefox blocks .NET Framework Assistant add-on

Firefox .NET Framework Assistant add-on

Firefox v3.5.4 / v3.0.15 released

Firefox v3.5.5 released

Posting Permissions