Mozilla quashes Firefox JavaScript peril
Vista stability also improved by critical browser update
Customer Success Testimonial: Recovery is Everything
Firefox users need to update their browser software following the release of updates designed to fix multiple security vulnerabilities.
Security bugs in the JavaScript engine used by the popular open source browser might be exploited to corrupt system memory, a type of attack that could allow hackers to inject hostile code onto vulnerable PCs.
There's also a flaw in the handling of XUL popups that means it might be possible to spoof the browser's location bar, a type of attack that phishing fraudsters would doubtless find useful.
There's little or no evidence that the flaws have been exploited to conduct hostile attacks, as yet. Nonetheless, users would be well advised to upgrade to version 2.0.0.4 or 1.5.0.12 of Firefox, just to be on the safe side. Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail, something that isn't a default setting and not recommended by the Mozilla Foundation.
Thunderbird users who nonetheless run JavaScript in mail received by the email client are advised to upgrade to version 2.0.0.4 or 1.5.0.12 of the software. SeaMonkey application suite users who enable JavaScript in emails need to upgrade to SeaMonkey version 1.0.9 and 1.1.2 for similar reasons.
As well as fixing various security bugs, Mozilla has introduced modifications with version 2.0.0.4 of its browser to enhance stability and improve support for Vista.
More background can be found via an advisory from the Mozilla Foundation here. ®
COMMENTS
Just when we thought we could surf as Admin again
"Can't anyone make a browser that does not allow people to inject malicious code or take over your system?"
How about an entire operating system?
You could've caught Firefox bugs before the fact with limited accounts on Vista, XP or even 2K. Don't want to spend $250 on an OS upgrade? Spend $100 on an after-market copy of 2K on eBay, and ditch 98 already.
Use a VM as a web browsing sandbox
If you have to run a browser with all the latest plugins and ability automatically to handle all kinds of multimedia content and not risk this compromising your main system, you are probably best off running this inside a virtual machine sandbox and reverting the VM to its state before the session after visiting any untrusted website. You may want to keep your host system browser/s for regularly visited (presumably trusted) sites where you want to take advantage of remembered cookies and passwords etc, and another VM for websites you visit on a one-off basis and which you can revert.
For the very rare sites that don't work with either Firefox or Konqueror (which seems more capable but not as elegant as Firefox) I run a VM with IE using VMware and revert it immediately after the session.
Re: Firefox vs. IE
‘Frankly, IE7 has made great strides, and despite the difficulty in admitting that IE7 "aint all that bad" it has to be said.’
The only real deal-breaker with IE7 is that you have to "upgrade" to XP-SP2 or Vista to be able to use it. Sorry, but a €250 upgrade of an O/S just to be able to use more up-to-date bugware really isn't on the table. I'll keep FF on my W98SE system that I boot into maybe once a month.
IT infrastructure monitoring strategies
What you need to know about cloud backup
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Customer Success Testimonial: Recovery is Everything
