Re: Some Non-Critical Secunia Advisories

2005-03-20 Thread Nate 
On Wed, 16 Mar 2005 14:05:09 -0500, Allen Farley
[EMAIL PROTECTED] wrote:

In the too-good-to-be-true category, would a webpage do as a stop-gap 
measure? http://secunia.com/product/4227/

thanks. Have any of the regulars here thought about creating a Yahoo
group for announcements only?
___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Some Non-Critical Secunia Advisories

2005-03-15 Thread Nate 
On 15 Mar 2005 13:33:53 GMT, Christopher Jahn [EMAIL PROTECTED] wrote:

Allen Farley [EMAIL PROTECTED] wrote in news:d14voe$hug8
@ripley.netscape.com:

 Just got these for Mozilla, Firefox and Thunderbird today. All are 
 listed as 'Save Link Target As... Status Bar Spoofing Weakness' and 
 all have the same solution: 'SOLUTION: Never save files via untrusted 
 sources.'
 
 http://secunia.com/advisories/14565/  -  Firefox 0.x  1.x
 http://secunia.com/advisories/14567/  -  Thunderbird 1.0
 http://secunia.com/advisories/14568/  -  Mozilla 1.7.x
 

I beleive this was fixed in FF 1.01

nope, sorry to say it's not fixed. I just tested it in FF 1.0.1

I see the good url in the status bar, but see the bad url in the Save
as... dialog - and the bad file does get downloaded.


___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Re: Some Non-Critical Secunia Advisories

2005-03-15 Thread Nate 
On Tue, 15 Mar 2005 10:51:26 -0500, Allen Farley
[EMAIL PROTECTED] wrote:

 From the article:
 The weakness has been confirmed in version 1.0.1. Other versions may 
also be affected.

I also tested the sample code with FF 1.0.1, and they are right.

It's not unusual for me to save a zip (because I want to keep a copy),
and then right-away click Open when it's finished downloading. Now I
know that could be a recipe for disaster, if I were not to notice the
change in filename. So thanks for posting the alert.

I suppose it's too-good-to-be-true that there is an email alert
service for these exploits? One that covers only FF, not every thing
under the sun?


...and it occurs to me yet once again, that one big reason for the
proliferation of spam, spyware, viruses and on and on ad nauseum is
that the bad guys hardly ever suffer any punishment. It's like
burglars being allowed to try as many doors as they want to.


___
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security