Re: OT Firefox security leak: bogus or genuine?
On 21:42, Tue 10 May 05, Jonathan Kaye wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The BBC website is now carrying a story about an alleged security vulnerability of Firefox. http://news.bbc.co.uk/1/hi/technology/4532127.stm I checked on the From other news sites section of the article for possible sources and found this. http://software.silicon.com/security/0,39024655,39130254,00.htm I sound want to sound overly suspicious but the silicon article is straddled by a big advert for Windows XP SP2. The article also says, Mozilla has changed its update web service and advises people to temporarily disable JavaScript.. I've just has a look around the Mozilla Firefox site and can't find anything about it; not even in the firefox forums where you'd expect it to feature prominently. Has anyone heard anything about this? Cheers, Jonathan -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCgQ6r64+f0AXUe+4RArDLAKCEBLxDa+9+TKiJYm8sYvyXguJRDACfUU0M k4BNs9Z9q1JVf3GE+kWyO3I= =LwQt -END PGP SIGNATURE- Mozilla has already had a fix for it, check your local sites, Firefox 1.04 rc is now out. Some claim it as a RC but I assume they will push this pretty fast. http://lwn.net/Articles/135342/ This is an example of how fast Open Source works to fix security problems. Like the article points out, I hope all the news agencies pick it up as fast as they did the orginal problem. Gnu_Raiz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT Firefox security leak: bogus or genuine?
Gnu-Raiz wrote: Mozilla has already had a fix for it, check your local sites, Firefox 1.04 rc is now out. Some claim it as a RC but I assume they will push this pretty fast. well it doesn't show up in the auto-notify for updates yet... I agree with the poster that said it should be on the firefox page, not jsut the main page. Seems to me the vulnerability is overblown. The mozilla site says there is only a proof of concept exploit, they might be down-playing it. But when I have to visit a site with the exploit, I am not too afraid. And supposedly mozilla has changed something on their servers that is supposed to scuddle the exploit. Not sure about the details of that. http://lwn.net/Articles/135342/ This is an example of how fast Open Source works to fix security problems. Like the article points out, I hope all the news agencies pick it up as fast as they did the orginal problem. Is a month fast? It only became public a few days ago, but they were notified of it a while ago. Gnu_Raiz -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 5/10/2005 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT Firefox security leak: bogus or genuine?
Jonathan Kaye wrote: 2. If you go to the Security Advisory 2005-42 page and look at the workaround, the first 2 procedures (Select the Options dialog from the Tools menu, etc.) are certainly not for the Linux version of Firefox I noticed this too. However it didn't take much thinking around to discover what they meant. That page looks like it's a wiki-page but I doubt Joe Public could fix it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OT Firefox security leak: bogus or genuine?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The BBC website is now carrying a story about an alleged security vulnerability of Firefox. http://news.bbc.co.uk/1/hi/technology/4532127.stm I checked on the From other news sites section of the article for possible sources and found this. http://software.silicon.com/security/0,39024655,39130254,00.htm I sound want to sound overly suspicious but the silicon article is straddled by a big advert for Windows XP SP2. The article also says, Mozilla has changed its update web service and advises people to temporarily disable JavaScript.. I've just has a look around the Mozilla Firefox site and can't find anything about it; not even in the firefox forums where you'd expect it to feature prominently. Has anyone heard anything about this? Cheers, Jonathan -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCgQ6r64+f0AXUe+4RArDLAKCEBLxDa+9+TKiJYm8sYvyXguJRDACfUU0M k4BNs9Z9q1JVf3GE+kWyO3I= =LwQt -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT Firefox security leak: bogus or genuine?
Jonathan Kaye wrote: The BBC website is now carrying a story about an alleged security vulnerability of Firefox. snip I've just has a look around the Mozilla Firefox site and can't find anything about it; Front page of http://www.mozilla.org, the May 8 Security Advisory link, takes you to http://www.mozilla.org/security/#Security_Alerts -- Kent West -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT Firefox security leak: bogus or genuine?
Jonathan Kaye wrote: The BBC website is now carrying a story about an alleged security vulnerability of Firefox. http://news.bbc.co.uk/1/hi/technology/4532127.stm I checked on the From other news sites section of the article for possible sources and found this. http://software.silicon.com/security/0,39024655,39130254,00.htm I sound want to sound overly suspicious but the silicon article is straddled by a big advert for Windows XP SP2. The article also says, Mozilla has changed its update web service and advises people to temporarily disable JavaScript.. I've just has a look around the Mozilla Firefox site and can't find anything about it; not even in the firefox forums where you'd expect it to feature prominently. Has anyone heard anything about this? Cheers, Jonathan Here is the official security advisory link from mozilla.org http://www.mozilla.org/security/announce/mfsa2005-42.html You should be fine as long as you haven't added any website to the whitelist to install software except the official update website. /KS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT Firefox security leak: bogus or genuine?
On Tue, 2005-05-10 at 18:47 -0400, [KS] wrote: Here is the official security advisory link from mozilla.org http://www.mozilla.org/security/announce/mfsa2005-42.html You should be fine as long as you haven't added any website to the whitelist to install software except the official update website. /KS Not so. From the Workaround section of the advisory: 4. Click the Remove All Sites button The problem is that any site can install software as long as there is at least a single site on the whitelist. You are vulnerable until you clear the whitelist completely. dB -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT Firefox security leak: bogus or genuine?
Am Dienstag 10 Mai 2005 21:42 schrieb Jonathan Kaye: Mozilla has changed its update web service and advises people to temporarily disable JavaScript. Is there a One-button One-click method to switch javascript-support from on to off and vice versa? I often wished that feature. regards Gerhard -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT Firefox security leak: bogus or genuine?
David Burgess wrote: On Tue, 2005-05-10 at 18:47 -0400, [KS] wrote: Here is the official security advisory link from mozilla.org http://www.mozilla.org/security/announce/mfsa2005-42.html You should be fine as long as you haven't added any website to the whitelist to install software except the official update website. /KS Not so. From the Workaround section of the advisory: 4. Click the Remove All Sites button The problem is that any site can install software as long as there is at least a single site on the whitelist. You are vulnerable until you clear the whitelist completely. dB Ref: http://www.mozillazine.org/talkback.html?article=6590 In a standard Firefox installation, only the Mozilla Update sites (update.mozilla.org and addons.mozilla.org) are on the whitelist by default. This has allowed the Mozilla Foundation to apply a server-side change that prevents attackers from exploiting the code execution flaw using its systems. Therefore, **if you have not added any additional sites to the whitelist**, you are not at risk from the code execution exploit and have not been since yesterday. However, you will still be vulnerable to the less serious JavaScript injection flaw. /KS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: OT Firefox security leak: bogus or genuine?
Title: RE: OT Firefox security leak: bogus or genuine? yes, the vulnerabilities exist and the new candidate builds have been released: http://weblogs.mozillazine.org/asa/archives/008121.html -Original Message- From: [KS] [mailto:[EMAIL PROTECTED]] Sent: Tue 5/10/2005 5:47 PM To: debian-user@lists.debian.org Cc: debian-user@lists.debian.org Subject: Re: OT Firefox security leak: bogus or genuine? Jonathan Kaye wrote: The BBC website is now carrying a story about an alleged security vulnerability of Firefox. http://news.bbc.co.uk/1/hi/technology/4532127.stm I checked on the From other news sites section of the article for possible sources and found this. http://software.silicon.com/security/0,39024655,39130254,00.htm I sound want to sound overly suspicious but the silicon article is straddled by a big advert for Windows XP SP2. The article also says, Mozilla has changed its update web service and advises people to temporarily disable _javascript_.. I've just has a look around the Mozilla Firefox site and can't find anything about it; not even in the firefox forums where you'd expect it to feature prominently. Has anyone heard anything about this? Cheers, Jonathan Here is the official security advisory link from mozilla.org http://www.mozilla.org/security/announce/mfsa2005-42.html You should be fine as long as you haven't added any website to the whitelist to install software except the official update website. /KS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
OT Enable/Disable Javascript in Firefox [Was: Re: OT Firefox security leak: bogus or genuine?]
Gerhard Gaußling wrote: Is there a One-button One-click method to switch javascript-support from on to off and vice versa? I often wished that feature. Try the PrefBar 3.1.0 extension*. ** Author:* Aaron Anderson *Version:* 3.1.0 *Size:* 167KB *Date:* 2004-02-08 *Compatibility:* ( 0.9 - 1.0+) ( 1.0 - 1.8a6) The original preferences toolbar was designed to give the user more control over the pages viewed, and to allow the power browser to use mozilla with greater ease and efficiency than ever before. The PrefBar2 takes this concept to a whole new level; along with the standard preference checkboxes, the new version includes utility buttons, user agent spoofing, web links, and more, served on a fully customizable toolbar with a side of white rice. http://prefbar.mozdev.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT Firefox security leak: bogus or genuine?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 En/La Jonathan Kaye ha escrit, a 10/05/05 21:42: | The BBC website is now carrying a story about an alleged security | vulnerability of Firefox. | http://news.bbc.co.uk/1/hi/technology/4532127.stm | I checked on the From other news sites section of the article for | possible sources and found this. | http://software.silicon.com/security/0,39024655,39130254,00.htm | I sound want to sound overly suspicious but the silicon article is | straddled by a big advert for Windows XP SP2. The article also says, | Mozilla has changed its update web service and advises people to | temporarily disable JavaScript.. | I've just has a look around the Mozilla Firefox site and can't find | anything about it; not even in the firefox forums where you'd expect it | to feature prominently. | Has anyone heard anything about this? | Cheers, | Jonathan Hi Debianers, As always, debian.users is the place to go to find out what's going on. Thanks to all of you for your info. I've got 2 grumbles with respect of Moz.FF. 1. Why on earth don't they have at least a link to the security advisory, http://www.mozilla.org and/or http://www.mozilla.org/security/#Security_Alerts on the Firefox page, http://www.mozilla.org/products/firefox/? This is what Openoffice does when they have a vulnerability. Maybe I'm strange but I think most people have bookmarked the Firefox page rather than the main Mozilla.org page so they would (like me) have no hint of the problem. I certainly don't want to rely on the BBC for this kind of thing. 2. If you go to the Security Advisory 2005-42 page and look at the workaround, the first 2 procedures (Select the Options dialog from the Tools menu, etc.) are certainly not for the Linux version of Firefox (I'm using 1.0.3) where you go to Edit - Preferences. Misleadingly, the Edit - Preferences route is mentioned 3rd under the Mozilla Suite heading (which I don't use). I assume that the Tools - Options route is for Windows, yes? Does that mean the vulnerability only applies to windows? I think not but who knows. If anyone thinks it's worth sending these points to Mozilla, I'll be happy to do so. Cheers and thanks again for the info. Jonathan -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCgZD564+f0AXUe+4RAjYMAJ9ROHn+Z3xBK/xsyvG4xL7F6A0soACeIfAc 1rZRRMtcUfvoE8wlzRopQKE= =1Qd/ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]