Re: Some Non-Critical Secunia Advisories
Allen Farley wrote: Nate wrote: On Tue, 15 Mar 2005 10:51:26 -0500, Allen Farley [EMAIL PROTECTED] wrote: From the article: The weakness has been confirmed in version 1.0.1. Other versions may also be affected. I also tested the sample code with FF 1.0.1, and they are right. It's not unusual for me to save a zip (because I want to keep a copy), and then right-away click Open when it's finished downloading. Now I know that could be a recipe for disaster, if I were not to notice the change in filename. So thanks for posting the alert. I suppose it's too-good-to-be-true that there is an email alert service for these exploits? One that covers only FF, not every thing under the sun? ...and it occurs to me yet once again, that one big reason for the proliferation of spam, spyware, viruses and on and on ad nauseum is that the bad guys hardly ever suffer any punishment. It's like burglars being allowed to try as many doors as they want to. In the too-good-to-be-true category, would a webpage do as a stop-gap measure? http://secunia.com/product/4227/ There may be other possibilities there as well. On punishing the bad guys, my suggestions would most likely be considered inhumane for these creatures. Just figured out, with some help from TB help and FAQ, another alternative in the Too-good-to-be-true category here. Secunia Advisories come also in RSS, others may also have this as well. You can setup a Saved Search Folder on an RSS. Yes it seems to work when I set one up to test on TB 1.0.2 I set it up to look for Thunderbird, Firefox or Mozilla in both the subject and body. You still have the Secunia Advisory RSS folder for the subscription, but at lease you have an easy way to access only the articles you are wanting. If you don't like that, you could still use the Secunia Advisory RSS, or which ever you prefer, with a filter! It's kind of interesting all of the possible solutions you have to choose from. Allen ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Some Non-Critical Secunia Advisories
On Wed, 16 Mar 2005 14:05:09 -0500, Allen Farley [EMAIL PROTECTED] wrote: In the too-good-to-be-true category, would a webpage do as a stop-gap measure? http://secunia.com/product/4227/ thanks. Have any of the regulars here thought about creating a Yahoo group for announcements only? ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Some Non-Critical Secunia Advisories
Allen Farley wrote: Nate wrote: On Tue, 15 Mar 2005 10:51:26 -0500, Allen Farley [EMAIL PROTECTED] wrote: From the article: The weakness has been confirmed in version 1.0.1. Other versions may also be affected. I also tested the sample code with FF 1.0.1, and they are right. It's not unusual for me to save a zip (because I want to keep a copy), and then right-away click Open when it's finished downloading. Now I know that could be a recipe for disaster, if I were not to notice the change in filename. So thanks for posting the alert. I suppose it's too-good-to-be-true that there is an email alert service for these exploits? One that covers only FF, not every thing under the sun? ...and it occurs to me yet once again, that one big reason for the proliferation of spam, spyware, viruses and on and on ad nauseum is that the bad guys hardly ever suffer any punishment. It's like burglars being allowed to try as many doors as they want to. In the too-good-to-be-true category, would a webpage do as a stop-gap measure? http://secunia.com/product/4227/ There may be other possibilities there as well. On punishing the bad guys, my suggestions would most likely be considered inhumane for these creatures. Allen Generally, I oppose such things as torture, or maiming, but in the case of this kind of pernicious activity, prison sentences aren't enough. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Some Non-Critical Secunia Advisories
On 15 Mar 2005 13:33:53 GMT, Christopher Jahn [EMAIL PROTECTED] wrote: Allen Farley [EMAIL PROTECTED] wrote in news:d14voe$hug8 @ripley.netscape.com: Just got these for Mozilla, Firefox and Thunderbird today. All are listed as 'Save Link Target As... Status Bar Spoofing Weakness' and all have the same solution: 'SOLUTION: Never save files via untrusted sources.' http://secunia.com/advisories/14565/ - Firefox 0.x 1.x http://secunia.com/advisories/14567/ - Thunderbird 1.0 http://secunia.com/advisories/14568/ - Mozilla 1.7.x I beleive this was fixed in FF 1.01 nope, sorry to say it's not fixed. I just tested it in FF 1.0.1 I see the good url in the status bar, but see the bad url in the Save as... dialog - and the bad file does get downloaded. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Some Non-Critical Secunia Advisories
Christopher Jahn wrote: Allen Farley [EMAIL PROTECTED] wrote in news:d14voe$hug8 @ripley.netscape.com: Just got these for Mozilla, Firefox and Thunderbird today. All are listed as 'Save Link Target As... Status Bar Spoofing Weakness' and all have the same solution: 'SOLUTION: Never save files via untrusted sources.' http://secunia.com/advisories/14565/ - Firefox 0.x 1.x http://secunia.com/advisories/14567/ - Thunderbird 1.0 http://secunia.com/advisories/14568/ - Mozilla 1.7.x I beleive this was fixed in FF 1.01 From the article: The weakness has been confirmed in version 1.0.1. Other versions may also be affected. I also tested the sample code with FF 1.0.1, and they are right. Allen ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Some Non-Critical Secunia Advisories
On Tue, 15 Mar 2005 10:51:26 -0500, Allen Farley [EMAIL PROTECTED] wrote: From the article: The weakness has been confirmed in version 1.0.1. Other versions may also be affected. I also tested the sample code with FF 1.0.1, and they are right. It's not unusual for me to save a zip (because I want to keep a copy), and then right-away click Open when it's finished downloading. Now I know that could be a recipe for disaster, if I were not to notice the change in filename. So thanks for posting the alert. I suppose it's too-good-to-be-true that there is an email alert service for these exploits? One that covers only FF, not every thing under the sun? ...and it occurs to me yet once again, that one big reason for the proliferation of spam, spyware, viruses and on and on ad nauseum is that the bad guys hardly ever suffer any punishment. It's like burglars being allowed to try as many doors as they want to. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Some Non-Critical Secunia Advisories
Nate wrote: ...and it occurs to me yet once again, that one big reason for the proliferation of spam, spyware, viruses and on and on ad nauseum is that the bad guys hardly ever suffer any punishment. It's like burglars being allowed to try as many doors as they want to. Yup. And, no matter how much they huff and puff, politicians in rich countries can't bring people in poor countries to justice. A lot of the current fraud comes out of economically ravaged eastern european countries where salaries of $400 per month are considered 'good money'. Gotta learn to live with it. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security