Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Get your fresh Firefox updates - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Get your fresh Firefox updates
My Firefox just jumped up at me and said "You have some updates".

Version to be exact.  So what's new?  Well, Mozilla tells us over here.

MFSA 2006-64 (which, by the way, stands for Mozilla Foundation Security Advisory)
Looks like a memory corruption bug.  "Crashes with evidence of memory corruption", Mozilla says, "...we presume that at least some of these could be exploited to run arbitrary code with enough effort."  So, lets hope not.

MFSA 2006-62 -- Popup-blocker cross-site scripting (XSS)
More XSS stuff, except this time against the Popup-blocker feature.  Mozilla doesn't really view this as a big threat: "The malicious page would first have to get itself framed by the target page, attempt to open a popup, and then convince the user that the popup contents were so important or interesting that it must be opened manually."

MFSA 2006-60 -- RSA Signature Forgery
Looks like Philip Mackenzie and Marius Schilder over at Google found this one. 
"Because the set of root Certificate Authorities that ship with Mozilla clients contain some with an exponent of 3 it was possible to make up certificates, such as SSL/TLS and email certificates, that were not detected as invalid. This raised the possibility of the sort of Man-in-the-Middle attacks SSL/TLS was invented to prevent."
Good, I read about this one not too long ago on a couple mailing lists that I lurk on.

MFSA 2006-59 -- Concurrency-related vulnerability
Mozilla has this to say: "We have seen no demonstration that these crashes could be reliably exploited, but they do show evidence of memory corruption so we presume they could be."

MFSA 2006-58 -- Auto-Update compromise through DNS and SSL spoofing
DNS and SSL spoofing vulnerability.  Mozilla does offer some good advice on this one:
"Do not accept unverifiable (often self-signed) certificates as valid. If you must, accept them for the session only, never permanently."  Rule of thumb.

MFSA 2006-57 -- JavaScript Regular Expression Heap Corruption
"...a regular expression that ends with a backslash inside an unterminated character set (e.g. "[\\") will cause the regular epression engine to read beyond the end of the buffer, possibly leading to a crash." 

... and since Thunderbird uses the same browser engine as Firefox, you need to update it too!

Thunderbird update can be found here.
Firefoxes update can be found here.

OR!!!  (and better IMO), you can click on Help (in the title bar), and click on "Check for Updates...", and the program will update itself.  (At least that's where it is on my Mac)

Happy updating!

(ISC would like to thank Jack, Robert, Juha-Matti, and Brian for emailing us to let us know..  and in case you were wondering, Brian emailed us first.  He wins!)


454 Posts
Sep 15th 2006

Sign Up for Free or Log In to start participating in the conversation!