Mozilla issues security updates

The Mozilla Foundation has issued "critical" security updates to vulnerabilities discovered in the Firefox browser, Thunderbird e-mail client and SeaMonkey application suite.

Flaws were found in versions of the open-source software prior to both Firefox 2.0.0.1 and Firefox 1.5.0.9, as well as prior to Thunderbird 1.5.0.9 and SeaMonkey 1.0.7, Mozilla said Tuesday.

The vulnerabilities could potentially be exploited to conduct cross-site scripting attacks, to let malicious attackers launch a remote execution of code on users' computers, and to expose sensitive information, according to an advisory from security company Secunia.

While Mozilla labeled the updates "critical," Secunia rated them "highly critical."

Mozilla advised people to forgo enabling JavaScript in Thunderbird and the mail portions of its Internet application suite SeaMonkey. People are also advised to download SeaMonkey 1.0.7, which is undergoing its final paces of testing.

"Some of these (flaws) were crashes that showed evidence of memory corruption, and we presume that at least some of these could be exploited to run arbitrary code with enough effort," according to one of six-related "critical" Mozilla security advisories issued Tuesday.

Last month, Mozilla also issued "critical" security updates for Firefox, Thunderbird and SeaMonkey. Like the new flaws, the earlier ones involved the potential for malicious attackers to take hold of users' systems.

[FOSS4evR]

A bit misleading, don't you think

Okay, I've come to not expect "fair and balanced"(TM) reporting from c|Net but come on.

"While Mozilla labeled the updates "critical," Secunia rated them "highly critical.""

Of course Mozilla ONLY labeled the updates "critical", Mozilla's impact key ONLY goes up to critical.

This is just poor journalism.

[anarchyreigns]

You're a moron!

<eom>

[extinctone]

Secunia is a "panic the user" organization

Their money comes from users who succumb to their panics so they have a "rating" scale that's built to push people's panic buttons. Otherwise people would look at the definition of "critical" and understand that adding "extremely" to it is an exercise in redundancy.

[umbrae]

Not really much of an issue...

Since most FF users use NoScript. Most pages I visit never run one line of JavaScript period. Cross Site scripting never happens until I implicitly trust both sites.

[sjkx]

geek-minded assumptions

Claiming that "most FF users use NoScript" is a presumptuous
generalization. Frankly, my guess would be that most FF users
don't even know what NoScript is/does.

[pip_z]

unpatched flaw in Firefox 2.0.0.1 allows to steal the passwords

unpatched flaw in Firefox 2.0.0.1 allows to steal the passwords

test here: <a class="jive-link-external" href="http://www.info-svc.com/news/11-21-2006/rcsr1/" target="_newWindow">http://www.info-svc.com/news/11-21-2006/rcsr1/</a>

[pip_z]

NoScript doesn't protect from SVG remote code execuion in Firefox 2.

NoScript doesn't protect from SVG remote code execuion in Firefox 2.

[pip_z]

NoScript doesn't protect from SVG remote code execution in Firefox 2.

NoScript doesn't protect from SVG remote code execuion in Firefox 2.

[pip_z]

NoScript doesn't protect from SVG remote code execution in Firefox 2.

NoScript doesn't protect from SVG remote code execution in Firefox 2.

[pip_z]

flaw in Firefox 2.0.0.1 allows to steal the passwords

unpatched flaw in Firefox 2.0.0.1 allows to steal the passwords

test here: <a class="jive-link-external" href="http://www.info-svc.com/news/11-21-2006/rcsr1/" target="_newWindow">http://www.info-svc.com/news/11-21-2006/rcsr1/</a>

[Mendz]

Opera...

... is the most secured. Compare:

Opera 9 - 2 patched
<a class="jive-link-external" href="http://secunia.com/product/10615/?task=advisories" target="_newWindow">http://secunia.com/product/10615/?task=advisories</a>

FF 2 - 1 patched; 1 unpatched
<a class="jive-link-external" href="http://secunia.com/product/12434/?task=advisories" target="_newWindow">http://secunia.com/product/12434/?task=advisories</a>

IE 7 - 3 unpatched
<a class="jive-link-external" href="http://secunia.com/product/12366/?task=advisories" target="_newWindow">http://secunia.com/product/12366/?task=advisories</a>

Safari 2 - 2 patched; 3 unpatched
<a class="jive-link-external" href="http://secunia.com/product/5289/?task=advisories" target="_newWindow">http://secunia.com/product/5289/?task=advisories</a>

Hmmm...

[Ryo Hazuki]

1-%...

The fact that a comapany called Secunia doesn't know any unpatched flaws, at a specific time, for a product that is used by less than 1% of people, doesn't mean there are no unpatched flaws and that, thus, doesn't mean that product is the most secured one.
Afterall, it's much more likely to find flaws for something that is used by more than 80% (overal percentage, not IE7-specific, but still a metric) of people, wouldn't you agree?

[Technoswamp]

And more will follow

A prediction: Google's motto is 'Do no Evil' yet their floatation has made them less warm and fuzzy and more corporate. As Firefox matures as a business there will be the temptation to 'make money' (even though they make millions of dollars through search partnerships already!), will bring Firefox into the corporate lime light and the tecnical self appointed elite will turn on them. They will become a traget just like Microsoft - for the ethical, and not-so-ethical hackers looking to 'kick' the corproate man for turning against the geekorati. Or, in the case of 'security' companies, to make a name for themselves.

Watch this space...

[System Tyrant]

Don't you all ever get tired...

of this constant bickering about who's right and who's wrong or which is better and which is worse.

Their is no truth to be found. It's all a one sided story. The only real difference between any of us is which side we choose to believe.

[anarchyreigns]

@FOSS4evR

Look, you sack of ****, here are just two here. I'll leave it to you with your third grade education to find the rest. Ya know, why don't you do us all a favor and leave this board, as it's the low rent wannabees who have no understanding of how little they know, that ruin it for the rest of us?
<a class="jive-link-external" href="http://news.yahoo.com/s/nf/20061220/bs_nf/48890" target="_newWindow">http://news.yahoo.com/s/nf/20061220/bs_nf/48890</a>
<a class="jive-link-external" href="http://www.cio-today.com/news/Mozilla-Patches-Firefox-and-Thunderbird/story.xhtml?story_id=110003SJ1ECS" target="_newWindow">http://www.cio-today.com/news/Mozilla-Patches-Firefox-and-Thunderbird/story.xhtml?story_id=110003SJ1ECS</a>

[System Tyrant]

I disagree.

It's people like you that ruin it for the rest of us. You are the sore thumb here. Even your nickname says that.

Why don't you leave and find some place else to insult people.