The Register® — Biting the hand that feeds IT

Feeds

Mozilla quashes Firefox JavaScript peril

Vista stability also improved by critical browser update

Customer Success Testimonial: Recovery is Everything

Firefox users need to update their browser software following the release of updates designed to fix multiple security vulnerabilities.

Security bugs in the JavaScript engine used by the popular open source browser might be exploited to corrupt system memory, a type of attack that could allow hackers to inject hostile code onto vulnerable PCs.

There's also a flaw in the handling of XUL popups that means it might be possible to spoof the browser's location bar, a type of attack that phishing fraudsters would doubtless find useful.

There's little or no evidence that the flaws have been exploited to conduct hostile attacks, as yet. Nonetheless, users would be well advised to upgrade to version 2.0.0.4 or 1.5.0.12 of Firefox, just to be on the safe side. Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail, something that isn't a default setting and not recommended by the Mozilla Foundation.

Thunderbird users who nonetheless run JavaScript in mail received by the email client are advised to upgrade to version 2.0.0.4 or 1.5.0.12 of the software. SeaMonkey application suite users who enable JavaScript in emails need to upgrade to SeaMonkey version 1.0.9 and 1.1.2 for similar reasons.

As well as fixing various security bugs, Mozilla has introduced modifications with version 2.0.0.4 of its browser to enhance stability and improve support for Vista.

More background can be found via an advisory from the Mozilla Foundation here. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Latest Comments

Just when we thought we could surf as Admin again

"Can't anyone make a browser that does not allow people to inject malicious code or take over your system?"

How about an entire operating system?

You could've caught Firefox bugs before the fact with limited accounts on Vista, XP or even 2K. Don't want to spend $250 on an OS upgrade? Spend $100 on an after-market copy of 2K on eBay, and ditch 98 already.

0
0

Use a VM as a web browsing sandbox

If you have to run a browser with all the latest plugins and ability automatically to handle all kinds of multimedia content and not risk this compromising your main system, you are probably best off running this inside a virtual machine sandbox and reverting the VM to its state before the session after visiting any untrusted website. You may want to keep your host system browser/s for regularly visited (presumably trusted) sites where you want to take advantage of remembered cookies and passwords etc, and another VM for websites you visit on a one-off basis and which you can revert.

For the very rare sites that don't work with either Firefox or Konqueror (which seems more capable but not as elegant as Firefox) I run a VM with IE using VMware and revert it immediately after the session.

0
0
Anonymous Coward

Re: Firefox vs. IE

‘Frankly, IE7 has made great strides, and despite the difficulty in admitting that IE7 "aint all that bad" it has to be said.’

The only real deal-breaker with IE7 is that you have to "upgrade" to XP-SP2 or Vista to be able to use it. Sorry, but a €250 upgrade of an O/S just to be able to use more up-to-date bugware really isn't on the table. I'll keep FF on my W98SE system that I boot into maybe once a month.

0
0

More from The Register

 breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
 breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
 breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
Critical Java SE update due Tuesday fixes 40 flaws
And yes, most are remotely exploitable
NSA accused of new crimes ... against slideware
They may take our information but they cannot take our REFINED AESTHETICS