Sorry Clint but I've yet to find these CVS repositories myself.
As to the security of Firefox over/under IE consider that Secunia lists FF 1.0 as having 6 of 8 vulverabilities as unpatched (1 or more is moderately critical) while IE 6 has 19 of 77 vulnerabilites as unpatched (1 or more is highly critical), 1 of these is highly critical and is unpatched since August 2003.
Comparatively IE 6 is far more insecure than FF 1.0, as Secunia shows that IE 6 has had 15% of 61 vulnerabilities listed as extremely critical while FF 1.0 has none in that range or the highly critical range either.
Clint, you should read the advisories completely before passing judgement, they will serve you more efficiently in the future.
Peter Kaulback
Support-OrpheusComputing.com wrote:
Maybe someone can explain what "have been fixed in the CVS repository" means. I don't know what good that does those that are using FF or Mozilla, unless that means that a "nightly build" has the patch in it. Note that FF is LESS SECURE than IE. 75% of FF vulnerabilities have NOT been fixed! http://secunia.com/product/4227/
-------------------------
TITLE: Mozilla / Firefox Three Vulnerabilities
SECUNIA ADVISORY ID: SA14160
VERIFY ADVISORY: http://secunia.com/advisories/14160/
CRITICAL: Less critical
IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data
WHERE:From remote
SOFTWARE: Mozilla Firefox 1.x http://secunia.com/product/4227/ Mozilla Firefox 0.x http://secunia.com/product/3256/ Mozilla 1.7.x http://secunia.com/product/3691/ Mozilla 1.6 http://secunia.com/product/3101/ Mozilla 1.5 http://secunia.com/product/2478/ Mozilla 1.4 http://secunia.com/product/1481/ Mozilla 1.3 http://secunia.com/product/1480/ Mozilla 1.2 http://secunia.com/product/3100/ Mozilla 1.1 http://secunia.com/product/98/ Mozilla 1.0 http://secunia.com/product/97/ Mozilla 0.x http://secunia.com/product/772/
DESCRIPTION:
mikx has discovered three vulnerabilities in Mozilla and Firefox,
which can be exploited by malicious people to plant malware on a
user's system, conduct cross-site scripting attacks and bypass
certain security restrictions.
1) Mozilla and Firefox validate an image against the "Content-Type"
HTTP header, but uses the file extension from the URL when saving an
image after a drag and drop event. This can e.g. be exploited to
plant a valid image with an arbitrary file extension and embedded
script code (e.g. .bat file) on the desktop by tricking a user into
performing a certain drag and drop event.
2) Missing URI handler validation when dragging a "javascript:" URL
to another tab can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an arbitrary site by
tricking a user into dragging a malicious link to another tab.
3) An error in the restriction of URI handlers loaded via plugins can
be exploited to link to certain restricted URIs (e.g. about:config).
This can further be exploited to trick a user into changing some
sensitive configuration settings.
The vulnerabilities have been confirmed in Mozilla 1.7.5 and Firefox
1.0. Other versions may also be affected.
SOLUTION: The vulnerabilities have been fixed in the CVS repository.
ORIGINAL ADVISORY: 1) http://www.mikx.de/index.php?p=8 2) http://www.mikx.de/index.php?p=9 3) http://www.mikx.de/index.php?p=10
OTHER REFERENCES: 1) https://bugzilla.mozilla.org/show_bug.cgi?id=279945 2) https://bugzilla.mozilla.org/show_bug.cgi?id=280056 3) https://bugzilla.mozilla.org/show_bug.cgi?id=280664
-- -- I haven't failed, I've found 10,000 ways that don't work.
Thomas Edison (1847-1931) ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
