Tag Archives: mozilla

BadUSB – WSWiR Episode 115

Android Fake ID, Backoff PoS Attack, and BadUSB

With Blackhat and DEF CON only a week away, it’s not surprising to see news of new vulnerabilities and attack vectors popping up as researchers hint at their upcoming presentations. If you are interesting in this threat news, but have no time to track it down yourself, this weekly video can fill you in.

Today’s show shares details about the Android Fake ID vulnerability, talks about a new PoS system attack campaign, and warns of an industry-wide USB problem researchers will disclose at Blackhat. Check out the video for the details and some advice, then scroll down to the Reference section if you are interested in other infosec news from the week.

As an aside, I will be attending Blackhat next week, which means I may not post the video at its regular time. However, it also means I’ll cover my favorite briefings from the show, so if you can’t attend be sure to tune in to get a taste of the popular security conference. Have a great weekend.

(Episode Runtime: 10:52)

Direct YouTube Link: https://www.youtube.com/watch?v=51VT-CJJKB4

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

iOS Backdoor – WSWiR Episode 114

Firefox 31, Tails 0day, and iOS Backdoor

Are you curious about the latest network breaches, dangerous new zero day exploits, or breaking security research, but too busy to find all this information on your own? No worries. We summarize the most important security news for you in our weekly security video every Friday.

In this week’s episode, you’ll learn how the latest Firefox update makes it harder to download malware, why you can’t rely on some anonymizers, and whether or not you should worry about the rumored backdoor in iOS. Check out the video for the full scoop, and don’t forget to peruse the extra stories in the Reference section below.

(Episode Runtime: 7:51)

Direct YouTube Link: https://www.youtube.com/watch?v=qg1wsjzjC4Q

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft Service Bus DoS Mostly Affects Enterprise Web Developers.

Among this week’s Microsoft security bulletins is one that likely only affects a small subset of Microsoft customers, and thus not worth a full security alert.

Microsoft Service Bus is a messaging component that ships with server versions of Windows, providing enterprise developers with the means to create message-driven applications. According to Microsoft’s bulletin, Service Bus suffers from a denial of service (DoS) vulnerability involving it’s inability to properly handle a sequence of specially crafted messages. If you have created an application that uses Service Bus, an attacker who could send specially crafted messages to your application could exploit this flaw to prevent the application from responding to further messages. You’d have to restart the service to regain functionality.

Windows itself doesn’t really use Service Bus for anything, but if you have internal applications that do, this vulnerability may be significant to you. If you use Service Bus, be sure to check out the bulletin to get your updates. — Corey Nachreiner, CISSP (@SecAdept)

TweetDeck XSS – WSWiR Episode 111

Patch Day, P.F. Changs Hack, and TweetDeck XSS

This week delivered a lot of infosec news and a ton of software security updates. If you didn’t have time to follow it all, check out our weekly computer security video to fill in the blanks.

During today’s episode, I cover the critical patches from Microsoft, Adobe and Mozilla, mention the latest credit card breach against a U.S. restaurant chain, and talk about the cross-site scripting worm spreading via TweetDeck. Click play below to learn more, and check out the References for other interesting infosec stories.

Before wishing you a great weekend, here are a couple of quick show notes. First, I’m starting a vacation during the middle of next week, so I won’t be publishing this weekly video for the next two weeks. It will return in July.

Second, if you are a WatchGuard customer curious about our OpenSSL updates, we are in the process of posting new versions of software for many of our products. Keep your eye on this blog, as those will likely start coming out early next week.

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=hbGqdrxvOyA

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Mozilla Plugs Zero Day Hole With Firefox 3.6.12

Summary:

  • This vulnerability affects: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
  • How an attacker exploits it: By enticing one of your users to visit a malicious web page
  • Impact: An attacker executes code on your user’s computer, potentially gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.12 (or 3.5.15), or let Firefox’s automatic update do it for you

Exposure:

In a WatchGuard Wire post yesterday, we warned you of a new zero day Firefox exploit that attackers had planted onto the Nobel Peace Prize web site. If you visited the infected site with Firefox 3.5 or 3.6 running on an XP computer, the exploit would silently download and install the Belmoo trojan onto your computer. At the time of the Wire post, Mozilla was aware of the zero day flaw but had not yet had time to fix it.

Luckily, Mozilla works fast. In an impressive display of development speed, Mozilla has already released Firefox 3.6.12 to fix this critical zero day vulnerability. According to their Known Vulnerabilities page, the zero day vulnerability was due to a heap buffer overflow flaw within Firefox’s DOM component. By enticing one of your users to a specially crafted web page, or by sneaking malicious code onto a legitimate web page that your user visits, an attacker can leverage this vulnerability to execute malicious code on that user’s machine, with that user’s privileges. If the user happens to be a local administrator or have root privileges, the attacker gains total control of the victim’s computer.

This is a very critical update for Firefox users. The bad guys found this serious vulnerability first, and are already exploiting it in the wild (like with the Nobel Peace Prize web site). As such, we consider it a very serious risk. If you use Firefox, we highly recommend you install the latest update immediately.

Solution Path:

Mozilla has released Firefox 3.6.12 and 3.5.15, to correct this zero day flaw. If you use Firefox in your network, we recommend that you download and deploy version 3.6.12 immediately, or let Firefox’s automatic updater do it for you. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.15.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage this vulnerability, nor many other web-based flaws, without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based attacks in general. If you use Firefox, we highly recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.12 to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

Firefox 3.6.11 Delivers 13 Security Fixes

Summary:

  • These vulnerabilities affect: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
  • How an attacker exploits it: Typically by enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.1 (or 3.5.14), or let Firefox’s automatic update do it for you

Exposure:

Late Tuesday, Mozilla released a Firefox update fixing around 13 (count based on CVE numbers) vulnerabilities in their popular multi-platform web browser. Mozilla rates half of these vulnerabilities as critical; meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.10 vulnerabilities below:

  • Multiple Dangling Pointer vulnerability (2010-67). A function within Firefox (LookupGetterOrSetter) suffers from a software flaw called a dangling pointer vulnerability. In the past, programmers considered dangling pointer flaws relatively benign, since attackers couldn’t easily exploit them. More recently, researchers have proven this class of  flaw quite exploitable. By enticing one of your users to a web page, an attacker can leverage these vulnerabilities to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Buffer Overflow Vulnerability in Document.write (2010-65). According to Mozilla, the latest Firefox update fixes a buffer overflow vulnerability in the code responsible for text rendering (document.write). By enticing one of your users to a maliciously crafted web page, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. As usual, an attacker may gain full control of your users’ computers if they have administrative privileges.
    Mozilla Impact rating: Critical
  • Typical Memory Corruption Vulnerabilities (2010-64). Mozilla’s update fixes three mostly unspecified memory “safety” or corruption vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser engine. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical

Mozilla’s alert describes many more vulnerabilities, including more code execution flaws, a few Cross-Site Scripting (XSS) vulnerabilities, and a few certificate and encryption issues. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.11 fixes. On a related note, some of these vulnerabilities also affect Firefox 3.5.x. If you use 3.5.x, we recommend you move to 3.6.11. However, if you must stay with 3.5.x, Mozilla has also released an update for that legacy version as well.

Solution Path:

Mozilla has released Firefox 3.6.1 and 3.5.14, to correct these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.11 as soon as possible, or let Firefox’s automatic updater do it for you. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.14.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.11 to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

Firefox 3.6.7 Fixes a Bunch of Drive-by Download Vulnerabilities

Summary:

  • These vulnerabilities affect: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
  • How an attacker exploits it: Typically by enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.7 (or 3.5.11), or let Firefox’s automatic update do it for you

Exposure:

Today, Mozilla released an advisory describing 16 (count based on CVE number) vulnerabilities in Firefox 3.6.4 (and earlier versions) running on all platforms. Mozilla rates more than half of these vulnerabilities as critical; meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.4 vulnerabilities below:

  • PNG Image Buffer Overflow Vulnerability (2010-41). The graphics code that helps Firefox handle PNG images suffers from a buffer overflow vulnerability. By enticing one of your users to a web page containing a maliciously crafted image, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Typical Memory Corruption Vulnerabilities (2010-34). Mozilla’s update fixes two unspecified memory “safety” or corruption vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser engine. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • DOM Attribute Cloning Code Execution Vulnerability (2010-35). The Document Object Model (DOM) is a W3C specification for representing structured documents as objects, in a platform and language neutral manner. Firefox’s DOM attribute cloning routine suffers from a code execution vulnerability. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this flaw to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. As usual, an attacker may gain full control of your users’ computers if they have administrative privileges.

Mozilla’s alert describes many more vulnerabilities, including other code execution flaws, Cross-Site Scripting (XSS) or cross-origin vulnerabilities, and spoofing vulnerabilities. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.7 fixes.

On a related note, some of these vulnerabilities also affect Firefox 3.5.x. If you use 3.5.x, we recommend you move to 3.6.7. However, if you must stay with 3.5.x, Mozilla has also released an update for that legacy version as well.

Solution Path:

Mozilla has released Firefox 3.6.7 and 3.5.11, to correct these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.7 as soon as possible. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.11.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable Javascript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.7 to fix these vulnerabilities.

References:

Avoid Ten Vulnerabilities By Upgrading To Firefox 3.6.4

Summary:

  • These vulnerabilities affect: Firefox 3.6.3  for Windows, Linux, and Macintosh
  • How an attacker exploits it: Typically by enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.4, or let Firefox’s automatic update do it for you

Exposure:

Yesterday, Mozilla released an advisory describing ten (count based on CVE number) vulnerabilities in Firefox 3.6.3 (and earlier versions) running on all platforms. Mozilla rates more than half of these vulnerabilities as critical;  meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.3 vulnerabilities below:

  • XSLT related Integer Overflow Vulnerability (2010-30). Extensible Stylesheet Language Transformations (XSLT) is an XML-based language used to change one XML document into another XML document. A routine Firefox uses to sort XSLT nodes suffers from an integer overflow vulnerability that can cause memory a buffer overflow. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Four Memory Corruption Vulnerabilities (2010-26). Mozilla’s update fixes four unspecified memory corruption vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser and JavaScript engines. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • DOM related Buffer Overflow Vulnerability (2010-29). The Document Object Model (DOM) is a W3C specification for representing structured documents as objects, in a platform and language neutral manner. Some of Firefox’s DOM code suffers from a buffer overflow vulnerability. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this flaw to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. As usually, attacker may gain full control of your users’ computers if they have administrative privileges.

Mozilla’s alert describes four more vulnerabilities, including another code execution flaw, a potential Cross-Site Scripting (XSS) vulnerability, and an issue that could allow an attacker to record your keystrokes, or inject extra ones. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.4 fixes.

The vulnerabilities alone should convince you to upgrade, but if you need more reason, Firefox 3.6.4 also comes with a neat new feature called “plug-in isolation”. This feature should significantly improve Firefox’s stability. Part of Firefox’s draw lies in its extensive library of third party extensions or plug-ins, which deliver extra functionality to the popular browser. Previous to plug-in isolation, these extensions or plug-ins ran within the Firefox process, which meant that if a third party plug-in crashed, Firefox would crash. With Firefox 3.6.4, plug-ins now run as external processes, so Firefox can stay running even if a plug-in crashes. If you use third party extensions and plug-ins and have experienced Firefox crashes, this new feature may lessen crashes outside of Mozilla’s control.

Solution Path:

Mozilla has released Firefox 3.6.4, correcting ten security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.4 as soon as possible.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.4 to fix these vulnerabilities.

References:

Firefox 3.6.x Gets its First Security Update – Mozilla Also Releases Security Updates for Legacy Firefox

On 24 March, 2010, we alerted LiveSecurity subscribers about Firefox 3.6.2, which corrected ten security vulnerabilities. When we first released this alert, the Mozilla Foundation had only released an update for the 3.6.x branch of Firefox. They had not released updates for the 3.0.x or 3.5.x branches of Firefox.

Yesterday, the Mozilla Foundation released Firefox 3.5.9 and 3.0.19, which fix many of the same vulnerabilities that Firefox 3.6.2 corrected. You can read more about the vulnerabilities these versions fix in our original alert, or the following Firefox Known Vulnerabilities pages:

If you can, we strongly encourage you use the latest branch of Firefox, 3.6.x. If you use 3.6.x, you probably already updated to version 3.6.2 when we sent our original Firefox alert, and can ignore this update. However, if you chose to stick with Firefox 3.0.x or 3.5.x for some reason, you should download and install Mozilla’s latest updates:

For additional details about the original vulnerability, and as a convenient reference, we reproduce our original 24 March alert below. You can also find it in the LiveSecurity Latest Broadcasts archive.


Summary:

  • These vulnerabilities affect: Firefox 3.6  for Windows, Linux, and Macintosh
  • How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.2

Exposure:

In late January, the Mozilla Foundation released a new branch of Firefox, version 3.6. This week, Mozilla released the first security update for Firefox 3.6, specifically version 3.6.2 (they did not release 3.6.1). This update fixes at least ten (count based on CVE number) vulnerabilities that affect the latest version of Firefox. Mozilla rates four of these vulnerabilities as critical, which they define as flaws that  attackers can leverage to execute code and install software; requiring no user interaction beyond normal browsing. We summarize the most critical Firefox 3.6.x vulnerabilities below:

  • WOFF Integer Overflow Vulnerability (2010-08). Firefox 3.6 introduced support for Web Open Font Format (WOFF), a new downloadable font format that supports compression. Firefox’s WOFF decoder suffers from an integer overflow vulnerability that can cause heap memory corruption, which  attackers can leverage to execute arbitrary code. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this flaw to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Three Memory Corruption Vulnerabilities (2010-11). This update also fixes three other memory corruption vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser engine. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical

Mozilla’s alert describes six more vulnerabilities, including Cross-Site Scripting (XSS) flaws, browser defacement flaws, and issues that could help a phisher in social engineering attacks. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.2 fixes.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable Javascript (and other active scripts) by default.

Solution Path:

Mozilla has released Firefox 3.6.2, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.2 as soon as possible. Mozilla strongly recommends 3.0.x and 3.5.x users upgrade to 3.6.x, and so do we. If you are using an older version of Firefox, we recommend you move to 3.6.x, as it contains new security features, such as its ability to detect out-of-date and potentially insecure plug-ins and extensions.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

For All Users:

Many of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.2, fixing these security issues.

References:


Follow

Get every new post delivered to your Inbox.

Join 7,704 other followers

%d bloggers like this: