Tech Talk

[Firefox v3.5.5 released]

FYI...

Firefox v3.5.5 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.5, released Nov. 5, 2009

- http://www.mozilla.com/en-US/firefox/3.5.5/releasenotes/
"Firefox 3.5.5 fixes the following issues: Fixed several stability issues..."

Complete list of changes in this version
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.1%3A.5-fixed
Thu Nov 5 2009 20:44:32 PST

//

[Firefox v3.5.6 released]

FYI...

Firefox v3.5.6 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.6, released December 15, 2009

- http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.6
Fixed in Firefox 3.5.6
MFSA 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
MFSA 2009-70 Privilege escalation via chrome window.opener
MFSA 2009-69 Location bar spoofing vulnerabilities
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-67 Integer overflow, crash in libtheora video library
MFSA 2009-66 Memory safety fixes in liboggplay media library
MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)
___

Firefox v3.0.16 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all-older.html
v3.0.16, released December 15, 2009

- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.16
Fixed in Firefox 3.0.16
MFSA 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
MFSA 2009-70 Privilege escalation via chrome window.opener
MFSA 2009-69 Location bar spoofing vulnerabilities
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)
___

- http://secunia.com/advisories/37699/2/
Release Date: 2009-12-16
Critical: Highly critical
Impact: Security Bypass, Spoofing, Manipulation of data, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x ...
Solution: Update to version 3.0.16 or 3.5.6...

- http://www.theregister.co.uk/2009/12/16/firefox_update/
16 December 2009

 

[Firefox v3.5.7 released]

FYI...

Firefox v3.5.7 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all.html
v.3.5.7, released January 5, 2010

- http://www.mozilla.com/en-US/firefox/3.5.7/releasenotes/
Firefox 3.5.7 fixes the following issues:
• Fixed a common stability issue.
• Fixed a problem with how updates were being presented to users.
Complete list of changes:
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.1%3A.7-fixed

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0220
Last revised: 01/08/2010
CVSS v2 Base Score: 5.0 (MEDIUM)
___

Firefox v3.0.17 released

From an admin account, start Firefox, then > Help > Check for Updates
-or-
Download: http://www.mozilla.com/firefox/all-older.html
v3.0.17, released January 5, 2010

- http://www.mozilla.com/en-US/firefox/3.0.17/releasenotes/
Firefox 3.0.17 fixes the following issue:
• Fixed a problem with how updates were being presented to users.
Complete list of changes:
- https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed1.9.0.17+verified1.9.0.17

//

[Firefox v.3.6 released]

FYI...

Firefox v.3.6 released
- http://www.mozilla.com/en-US/firefox/3.6/releasenotes/
January 21, 2010 - "Firefox 3.6  is built on Mozilla's Gecko 1.9.2 web rendering platform, which has been under development since early 2009 and contains many improvements for web developers, add-on developers, and users. This version is also faster and more responsive than previous versions and has been optimized to run on small device operating systems such as Maemo..."
- Download: http://www.mozilla.com/firefox/all.html

WeeklyUpdates/2010-01-25
- https://wiki.mozilla.org/WeeklyUpdates/2010-01-25
Schedule for Firefox 3.5.8 are... Final release: February 16 ...
Schedule for Firefox 3.0.18 are... Final release: February 16 ...

 

[Firefox v3.0.18/v3.5.8 released]

FYI...

From an admin account, start Firefox, then > Help > Check for Updates

Firefox v3.0.18/v3.5.8 released
- http://secunia.com/advisories/37242/
Release Date: 2010-02-18
Criticality level: Highly critical
Impact:   Cross Site Scripting, System access
Where: From remote
Solution Status: Vendor Patch
Software: Mozilla Firefox 3.0.x, Mozilla Firefox 3.5.x
Solution: Update to version 3.0.18 or 3.5.8.
Original Advisory: Mozilla:
http://www.mozilla.org/security/announce/2010/mfsa2010-01.html
http://www.mozilla.org/security/announce/2010/mfsa2010-02.html
http://www.mozilla.org/security/announce/2010/mfsa2010-03.html
http://www.mozilla.org/security/announce/2010/mfsa2010-04.html
http://www.mozilla.org/security/announce/2010/mfsa2010-05.html
Secunia Research:
http://secunia.com/secunia_research/2009-45/

Bug list:
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.1%3A.8-fixed
63 bugs found.

Fixed in Firefox 3.5.8
- http://www.mozilla.org/security/known-vulnerabilities/firefox35.html

Bug list:
- https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed1.9.0.18+verified1.9.0.18
19 bugs found.

Fixed in Firefox 3.0.18
- http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1571
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3988
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0159
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0160
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0162
___

Blocklisted add-ons that should no longer be used with Mozilla products.
- https://www.mozilla.com/en-US/blocklist/

 

[Firefox v3.6.2]

FYI...

Firefox v3.6.2
- http://secunia.com/advisories/38608/
Last Update: 2010-03-19
Criticality level: Highly critical
Impact:   System access
Where: From remote
Solution Status: Vendor Workaround
Software: Mozilla Firefox 3.6.x
Original Advisory: Mozilla:
- http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/
03.18.10 - "Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue. The vulnerability was determined to be critical and could result in remote code execution by an attacker. The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix. Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue. As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience. Alternatively, users can download the current Beta build of Firefox 3.6.2, which contains the fix from here:  
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

- https://wiki.mozilla.org/WeeklyUpdates/2010-03-22#Branch_work:_Firefox_3.5.x_.2F_Firefox_3.6.x_.2F_Thunderbird_3.0.x
WeeklyUpdates/2010-03-22 - "QA and release teams are quickly checking the risk of 1.9.2 patches, to see if we can get 3.6.2 out early this week."

 

[Firefox v3.6.2 released]

FYI...

Firefox v3.6.2 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html

• Critical: MFSA 2010-11 Crashes with evidence of memory corruption
- http://www.mozilla.org/security/announce/2010/mfsa2010-11.html
• Critical: MFSA 2010-08 WOFF heap corruption due to integer overflow
- http://www.mozilla.org/security/announce/2010/mfsa2010-08.html

Fixed in Firefox 3.6.2
- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.2
MFSA 2010-15 Asynchronous Auth Prompt attaches to wrong window
MFSA 2010-14 Browser chrome defacement via cached XUL stylesheets
MFSA 2010-13 Content policy bypass with image preloading
MFSA 2010-12 XSS using addEventListener and setTimeout on a wrapped object
MFSA 2010-11 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.8/ 1.9.0.18)
MFSA 2010-10 XSS via plugins and unprotected Location object
MFSA 2010-09 Deleted frame reuse in multipart/x-mixed-replace image
MFSA 2010-08 WOFF heap corruption due to integer overflow

What’s New in Firefox 3.6.2
- http://www.mozilla.com/en-US/firefox/3.6.2/releasenotes/
Firefox 3.6.2 fixes the following issues found in previous versions of Firefox 3.6:
* Fixed a critical security issue that could potentially allow remote code execution (see bug 552216).
* Fixed several additional security issues.
* Fixed several stability issues.
Please see the complete list of changes* in this version..."
* https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.2-fixed
118 bugs found.

- http://secunia.com/advisories/38608/
Last Update: 2010-03-23
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 3.6.2.

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0164
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0165
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0166
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0169
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0170
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0171
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0172
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1028
... before 3.6.2...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1122
Last revised: 03/26/2010 - ... Firefox 3.5.x through 3.5.8...
CVSS v2 Base Score: 10.0 (HIGH)...

- https://wiki.mozilla.org/WeeklyUpdates/2010-03-29#Branch_work:_Firefox_3.5.x_.2F_Firefox_3.6.x_.2F_Thunderbird_3.0.x
WeeklyUpdates/2010-03-29 - "... 3.5.9, 3.0.19 on track for tomorrow..."

 

[Firefox v3.5.9 released]

FYI...

Firefox v3.5.9 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download
- http://www.mozilla.com/firefox/all-older.html

Release Notes
- http://www.mozilla.com/firefox/3.5.9/releasenotes/
v.3.5.9, released March 30, 2010

Security Advisories
- http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.9
Fixed in Firefox 3.5.9
MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy
MFSA 2010-23 Image src redirect to mailto: URL opens email editor
MFSA 2010-22 Update NSS to support TLS renegotiation indication
MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop
MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray
MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection
MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)

- https://developer.mozilla.org/devnews/index.php/2010/03/30/firefox-3-5-9-and-3-0-19-security-updates-now-available/
March 30, 2010 - "... Firefox 3.5.9 and Firefox 3.0.19 are now available for Windows, Mac, and Linux for free download... Please note: This is the last planned security and stability release for Firefox 3.0... "
Use: >Help >Check for Updates

Firefox 3.0.19: http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.19

13 bugs...
- https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed1.9.0.19+verified1.9.0.19

 

[Firefox v3.6.3 released]

FYI...

Firefox v3.6.3 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html

- http://www.mozilla.org/security/announce/2010/mfsa2010-25.html
Title: Re-use of freed object due to scope confusion
Impact: Critical
Announced: April 1, 2010
Reporter: Nils (MWR InfoSecurity)
Products: Firefox
Fixed in: Firefox 3.6.3...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1121
Last revised:03/26/2010
CVSS v2 Base Score: 10.0 (HIGH)
Overview: Unspecified vulnerability in Mozilla Firefox 3 on Windows 7 allows remote attackers to execute arbitrary code via unknown vectors that trigger memory corruption, as demonstrated by Nils during a Pwn2Own competition at CanSecWest 2010...

- http://secunia.com/advisories/39175/
Release Date: 2010-04-02
Criticality level: Highly critical
Impact:   System access
Where: From remote
Solution: Update to version 3.6.3.
___

Due to some obscure moron a "security 'specialist'" hacking into a kludge of browsers "playing games" at a supposed security conference at CanSecWest with all the public media reports as a result of the "contest", this update became necessary wasting the time and effort of millions of end users and those who support them. More updates for other browsers will follow...

Responsible Disclosure Policy
- http://www.secureworks.com/research/disclosure.html
As a managed security services provider, we are constantly researching new methods computer criminals could use to break into systems, steal information and cause harm to our clients or their clients. We must be ahead of the criminal – anticipating new threats and developing countermeasures to prevent those threats. In that process, we may discover a vulnerability or a class of vulnerabilities in a technology solution that could create risk for our clients or the general market. When we discover a vulnerability, we will follow SecureWorks’ Responsible Disclosure Policy.
The goals of our Disclosure Policy are as follows:
   1. Minimize risks to our clients and to the market
   2. Education
   3. Contribution to the security community
   4. Cooperation with vendor community to understand the vulnerability
SecureWorks believes that it is important to work with technology providers when we find vulnerabilities – giving them an opportunity to patch their systems prior to advising our clients and the public about the vulnerability. This reduces the opportunity for a computer criminal to use information we provide to the public to cause harm although it does not prevent the criminal from discovering the same vulnerability independently...

 

[Firefox v3.6.4 released]

FYI...

Firefox v3.6.4 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
June 22, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.4/releasenotes/

- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.4

- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.4-fixed
226 bugs found/fixed

- http://secunia.com/advisories/40309/
Release Date: 2010-06-23
Criticality level: Highly critical
Impact:   Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution: Update to version 3.5.10 or 3.6.4...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1196
Last revised: 06/30/2010
CVSS v2 Base Score: 9.3 (HIGH)
"... Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1197
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1198
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1199
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1200
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1201
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1202
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1203

 

[Firefox v3.6.6 released]

FYI...

Firefox v3.6.6 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
June 26, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.6/releasenotes/
"Firefox 3.6.6 modifies the crash protection feature to increase the amount of time that plugins are allowed to be non-responsive before being terminated..."

- http://forums.mozillazine.org/viewtopic.php?f=38&t=1929983
"Firefox 3.6.6 is a maintenance release to solve problems with Flash crashes. If you are having a number of flash crashes this should solve the issue. The fix increases the amount of time the before Firefox decides the plug-in has crashed. If you are curious why this release isn't number 3.6.5 see where's 3.6.5?* ..."
* http://christian.legnitto.com/blog/2010/06/09/heads-up-the-next-firefox-platform-version-is-1-9-2-6-instead-of-1-9-2-5/

- http://www.h-online.com/security/news/item/Norton-produces-false-alarm-after-Firefox-update-1030099.html
28 June 2010 - "... Norton Antivirus and Internet Security from Symantec both issued a security alert and pushed various files into quarantine after they installed the latest Firefox update which in turn caused Firefox to malfunction. In Symantec's support forums and elsewhere on the internet, further users have reported malware alerts after installing the Firefox 3.6.6 update. The affected files are reported to be:
* freebl3.dll
* softokn3.dll
* nssdbm3.dll
The name given by Symantec, WS.Reputation.1, points towards a detection by the cloud based functionality of Norton where the company evaluates the information transmitted by users' systems to assess files. Files that haven't been seen before are considered particularly suspicious. [?] If Norton then detects anything else that's unusual about the file, it will raise the alarm..."

 

[Firefox v3.6.7 released]

FYI...

Firefox v3.6.7 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
July 20, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.7/releasenotes/

- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.7

- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.7-fixed,.5-fixed
126 bugs found/fixed.

- http://securitytracker.com/alerts/2010/Jul/1024225.html
- http://securitytracker.com/alerts/2010/Jul/1024226.html

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0654
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1208
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1209
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1211
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1212
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1214
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2752
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2753
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2754

 

[Firefox v3.6.8 released]

FYI...

Firefox v3.6.8 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
July 23, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.8/releasenotes/
• Fixed a single stability issue affecting some pages containing plugins.
Regression:  http://www.mozilla.org/security/announce/2010/mfsa2010-48.html

- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.8

- http://securitytracker.com/alerts/2010/Jul/1024243.html
Date: July 24, 2010

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2755
CVSS v2 Base Score: 10.0 (HIGH)

 

[Firefox v3.6.9 released]

FYI...

Firefox v3.6.9 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
Sep. 7, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.9/releasenotes/

- http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.9

67 bugs found:
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2:.9-fixed

- http://secunia.com/advisories/41297/
Release Date: 2010-09-08
Criticality level: Highly critical
Impact: Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote
CVE Reference(s): CVE-2010-2760, CVE-2010-2762, CVE-2010-2763, CVE-2010-2764, CVE-2010-2765, CVE-2010-2766, CVE-2010-2767, CVE-2010-2768, CVE-2010-2769, CVE-2010-2770, CVE-2010-3166, CVE-2010-3167, CVE-2010-3168, CVE-2010-3169
Solution: Update to version 3.6.9 or 3.5.12.

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3171
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3399
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3400

- http://securitytracker.com/alerts/2010/Sep/1024401.html
- http://securitytracker.com/alerts/2010/Sep/1024406.html
Sep 8 2010

 

[Firefox v3.6.10 released]

FYI...

Firefox v3.6.10 released

From an admin. account, start Firefox, then >Help >Check for Updates
-or-
Download:
- http://www.mozilla.com/firefox/all.html
Sep. 15, 2010

What’s new
- http://www.mozilla.com/en-US/firefox/3.6.10/releasenotes/
• Fixed a single stability issue affecting a limited number of users

2 bugs found.
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2%3A.10-fixed