Wednesday, July 13, 2005

Firefox Fixes: version l.0.5 released yesterday





Firefox web browser users must visit the Firefox site and download version 1.0.5 to install the mandatory security patches.




Links (in descending relevance):



Firefox Download page

http://www.mozilla.org/products/firefox


Firefox Security Updates
http://www.mozilla.org/security


Firefox/Mozilla News

http://www.mozilla.org/news.html


Firefox Tips for Secure Browsing
http://www.mozilla.org/security/
#Tips_for_secure_browsing


Firefox Central
http://www.mozilla.org/products/
firefox/central.html


For your information, here are the security issues patched so far by each version.



Firefox Fixes


(as reported
on Firefox site)




Fixed in Firefox 1.0.5

MFSA 2005-56 Code execution through shared function objects
MFSA 2005-55 XHTML node spoofing
MFSA 2005-54 Javascript prompt origin spoofing
MFSA 2005-53 Standalone applications can run arbitrary code through the browser
MFSA 2005-52 Same origin violation: frame calling top.focus()
MFSA 2005-51 The return of frame-injection spoofing
MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
MFSA 2005-49 Script injection from Firefox sidebar panel using data:
MFSA 2005-48 Same-origin violation with InstallTrigger callback
MFSA 2005-47 Code execution via "Set as Wallpaper"
MFSA 2005-46 XBL scripts ran even when Javascript disabled
MFSA 2005-45 Content-generated event vulnerabilities


Fixed in Firefox 1.0.4

MFSA 2005-44 Privilege escalation via non-DOM property overrides
MFSA 2005-43 "Wrapped" javascript: urls bypass security checks
MFSA 2005-42 Code execution via javascript: IconURL


Fixed in Firefox 1.0.3

MFSA 2005-33 Javascript "lambda" replace exposes memory contents
MFSA 2005-34 javascript: PLUGINSPAGE code execution
MFSA 2005-35 Showing blocked javascript: popup uses wrong privilege context
MFSA 2005-36 Cross-site scripting through global scope pollution
MFSA 2005-37 Code execution through javascript: favicons
MFSA 2005-38 Search plugin cross-site scripting
MFSA 2005-39 Arbitrary code execution from Firefox sidebar panel II
MFSA 2005-40 Missing Install object instance checks
MFSA 2005-41 Privilege escalation via DOM property overrides


Fixed in Firefox 1.0.2

MFSA 2005-32 Drag and drop loading of privileged XUL
MFSA 2005-31 Arbitrary code execution from Firefox sidebar panel
MFSA 2005-30 GIF heap overflow parsing Netscape extension 2


Fixed in Firefox 1.0.1

MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing
MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files
MFSA 2005-27 Plugins can be used to load privileged content
MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab
MFSA 2005-25 Image drag and drop executable spoofing
MFSA 2005-24 HTTP auth prompt tab spoofing
MFSA 2005-23 Download dialog source spoofing
MFSA 2005-22 Download dialog spoofing using Content-Disposition header
MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice
MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
MFSA 2005-19 Autocomplete data leak
MFSA 2005-18 Memory overwrite in string library
MFSA 2005-17 Install source spoofing with user:pass@host
MFSA 2005-16 Spoofing download and security dialogs with overlapping windows
MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
MFSA 2005-14 SSL "secure site" indicator spoofing
MFSA 2005-13 Window Injection Spoofing



Fixed in Firefox 1.0

MFSA 2005-12 javascript: Livefeed bookmarks can steal private data
MFSA 2005-09 Browser responds to proxy auth request from non-proxy ssl server
MFSA 2005-08 Synthetic middle-click event can steal clipboard contents
MFSA 2005-07 Script-generated event can download content without prompting
MFSA 2005-05 Input stealing from other tabs
MFSA 2005-04 Secure site lock can be spoofed using view-source:
MFSA 2005-03 Secure site lock can be spoofed by a binary download
MFSA 2005-02 Opened attachments are temporarily saved world-readable
MFSA 2005-01 Link opened in new tab can load local file




[signed] Steven Streight aka Vaspers the Grate

4 comments:

Chris Ritke said...

After reading your post I realized that I had version 0. something - it worked really well, but I just updated to 1.0.5 - it's great, the install went like a charm! Thanks for the heads up!

steven edward streight said...

Thanks Chris for showing appreciation.

Each post a blogger publishes is meant to help, entertain, inform, provoke, cheer, or question an audience of blog readers.

It's nice when a blog reader posts a comment about how a post helped them.

It seems other blogger do much more posting of comments than non-blogger lurkers.

It seems if someone likes to contribute voluntary user-generated content, I mean comments, they will also tend to want to have their own blog.

Blogs are easy to start, hard to perfect, hard to frequently update with fresh insights, hot news, and interesting expression.

Glad you use Firefox and that the upgrade went well.

carrie said...

i downloaded it and i think i installed it but am not sure. X^D

steven edward streight said...

Carrie: check your desktop icons.

Did you not see a message on screen "Firefox 1.0.5 successfully downloaded" then when you activated the Install Wizard, you should see a "Firefox 1.0.5 successfully installed on your computer" or message words to that effect?