New vulnerabilities are haunting Mozilla, Firefox, and Netscape browsers, while different threats have surfaced in Outlook and Internet Explorer. Meanwhile, IM and P2P threats surge.
Details
Secunia has reported, and Mozilla has confirmed, an information disclosure vulnerability in the Firefox browser — including the latest update (version 1.0.2), which is only a few weeks old (released March 21). In fact, troubles for the increasingly popular browser are coming so fast and furious that mozillaZine has reported that a new Firefox release candidate has already replaced the Firefox release candidate 1.0.3, which became available on April 5.
Mozilla released the new release candidate (also designated 1.0.3) the very next day. Be forewarned that this release candidate 1.0.3, and probably the eventual release version as well, is likely to cause problems with a number of extensions.
Below are links to Secunia's reports about each threat:
The information disclosure vulnerability exposes random memory areas to malicious Web sites, and users would never be aware of it. As you would expect, it's mostly ASCII garbage, but there are definitely real information disclosures too, so this is a very real threat.
Secunia offers a Mozilla Products Arbitrary Memory Exposure Test to help you determine if your system is vulnerable to the new vulnerability. Using IE6, I went to the site and found no problem, but Firefox was definitely exposing arbitrary chunks of my memory. So if you're using Firefox, Mozilla, or even Netscape, I highly recommend running a quick test from Secunia's Web site.
Another recent report, this one coming from SecuriTeam.com (and credited to mikx), appears very similar, and it almost certainly refers to the same vulnerability discussed in the Secunia reports. (Secunia doesn't list MITRE CAN designations, so I can't be certain.) Below are links to the CVE reports.
Unfortunately, SecuriTeam.com has published links to proof-of-concept code. Dubbed Firescrolling, Fireflashing, Firetabbing, and Firedragging, all of these threats involve Java-based attacks.
Talkback
If only the press as a whole would have held Internet Explorer to the same standards in the beginning as they do now FireFox. It would have been a different world.
Other then that I think it's a plus to disclose flaws in software. Certainly security and privacy related ones. Currently the general public is mostly ignorant about the state of affairs in software security land since the general public is mostly informed by means of ads and news flashes and that's hardly an accurate representation of the actual facts.
"In fact, troubles for the increasingly popular browser are coming so fast and furious that mozillaZine has reported that a new Firefox release candidate has already replaced the Firefox release candidate 1.0.3, which became available on April 5."
The extra fixes to be included in 1.0.3 fix bug 281988. There have been no security problems found with the code relating to that bug, just the potential for problems.
https://bugzilla.mozilla.org/show_bug.cgi?id=281988
"Be forewarned that this release candidate 1.0.3, and probably the eventual release version as well, is likely to cause problems with a number of extensions."
"Asa Dotzler has announced another set of Mozilla Firefox 1.0.3 release candidates. ***These builds should allow extensions and other features to operate as they did in Firefox 1.0.2 while still including the security improvements wanted by the Mozilla Foundation.***"
http://www.mozillazine.org/talkback.html?article=6369
"Of course, while you can switch to Firefox to avoid the latest IE vulnerability, you'll then have to deal with the new Firefox vulnerability instead—and it appears to be nearly as dangerous."
IE's problem is remote code execution. Firefox's is information disclosure. I don't know about you, but I'd much rather have an attacker be able to read random bits of memory than him be able to run whatever code he likes on my machine.
"All of the Mozilla, Firefox, and Navigator threats appear to involve Java. So, until Mozilla releases a patch, disabling JavaScript will block any attack attempts in the meantime."
Java is not the same Javascript! Perhaps you should let someone who knows the difference write the articles from now on.
You appear to be confused between the language in which an exploit exists and the language to disable using a security setting. Do you know the difference between Java and JavaScript?
Java is an object oriented development language delivered over the network as class and jar files.
JavaScript/ECMAScript is a scripting language embedded into a html page and usually delivered in plain text.
If the vulnerability is Java then keep it clear and advise users to switch off Java.
If the vulnerability is JavaScript then keep it clear and advise users to switch off JavaScript.
I hope you run a follow up article showing for each of the Firefox and IE vunerabilities how long each takes to fix. That would be proper editorial.