Firefox 1.04 - Security Changes and other release notes

Security Update to Firefox Now Available

  Firefox 1.04 Free Download (English version 1.04)

Original Advisories on Security Issues

Mozilla Foundation Security Advisory 2005-42

Secunia - Mozilla Firefox Two Critical Vulnerabilities

The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3, but other versions may also be affected, said security company Secunia, which issued the ratings Sunday. The two vulnerabilities, when combined, can be exploited, but no known cases have yet emerged where an attacker took advantage of the public exploit code.

One flaw involves "IFRAME" JavaScript URLs, which are not properly protected from being executed in the context of another URL in the history list. "If you visit a malicious Web site, it can steal cookie information from other Web sites you had previously visited," said Thomas Kristensen, Secunia's chief technology officer. The attacker could then use that information to engage in identity theft or gain access to other password-protected sites that the victim visited.

Mozilla issued the following workaround to prevent installing software automatically from web sites.  This adds protection for future issues and it enhances security even after upgrading to version 1.04 (and can be toggled on or off as needed).

1. Select the "Options" dialog from the "Tools" menu
2. Select the "Web Features" icon
3. Click the "Allowed Sites" button on the same line as the "Allow web sites to install software" checkbox
4. Click the "Remove All Sites" button
5. Click "OK"