Digital Edition

SYS-CON.TV
Firefox Finishes Fire Drill
Mozilla Fixes Flaw, Issues Updated Version 1.04

A security flaw that allows a malicious site to execute arbitrary code on a user's system through the Mozilla Firefox Version 1.03 browser has been fixed with the issuance of Mozilla Firefox Version 1.04, Mozilla has reported. The Version 1.03 flaw appears to be the first "Extremely Critical" Firefox flaw logged by Secunia, Mozilla says.

Firefox users are encouraged to go to www.mozilla.org to find the new version. ISSJ did this, and found one important navigational issue. The best way to find the most clearly marked patch download is to first go to the original May 8 notification of the problem. There you will find clearly marked information regarding the update, which is known as Version 1.04.

Hitting the May 11 link, which references the "security update," simply brings you to a generic Firefox page. Version 1.04 is the featured version on that page, and this version has eliminated the flaw. However, it may not be intuitively obvious to all users that this is the correct version, as there is no specific wording about the Version 1.03 problems on this page. With an estimated 50 million downloads worldwide, one can imagine that some confusion may be caused by this navigational obliqueness.

The May 8 advisory explains that a successful attack involves exploiting two flaws: one involves tricking Firefox into thinking a software installation is being triggered by a whitelisted site, while the other relies on the software installation trigger not sufficiently checking icon URLs containing JavaScript code.

The Secunia advisory suggests disabling JavaScript as a workaround; however, simply disabling software installation (Web Features panel of the Options/Preferences window in Firefox 1.0.3 or the Content panel in the latest trunk builds) eliminates the problem. Now, with Version 1.04 available, the problem has been fully addressed.

About Security News Desk
SYS-CON's Security News desk trawls the world of security for news of software, hardware, products, and services that seems likely to be of interest to infosec professionals and summarizes them for easy assimilation by busy IT managers and staff.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1



ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

The question before companies today is not whether to become intelligent, it’s a question of how and...
While some developers care passionately about how data centers and clouds are architected, for most,...
ChatOps is an emerging topic that has led to the wide availability of integrations between group cha...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting ch...
As Marc Andreessen says software is eating the world. Everything is rapidly moving toward being soft...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know ...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every ...
The cloud era has reached the stage where it is no longer a question of whether a company should mig...
The need for greater agility and scalability necessitated the digital transformation in the form of ...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an over...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and ...
"Since we launched LinuxONE we learned a lot from our customers. More than anything what they respon...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily ...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - w...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Ser...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy hig...
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis too...
"Cloud4U builds software services that help people build DevOps platforms for cloud-based software a...