security update: firefox 184.108.40.206 released
It is recommended that you update to this version as soon as possible - download here:
MFSA 2007-25 XPCNativeWrapper pollution MFSA 2007-24
Unauthorized access to wyciwyg:// documents MFSA 2007-23
Remote code execution by launching Firefox from Internet Explorer MFSA 2007-22
File type confusion due to %00 in name MFSA 2007-21
Privilege escalation using an event handler attached to an element not in the document MFSA 2007-20
Frame spoofing while window is loading MFSA 2007-19
XSS using addEventListener and setTimeout MFSA 2007-18
Crashes with evidence of memory corruption
Be warned, if you are using a version of Firefox earlier than 1.5.x you will need to manually download and install the update. Users of later versions should be prompted to update, if not they can open Firefox, click on "Help" and then click on "Check for Updates."
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer has received a lot of attention since it became public... some blamed Firefox, some blamed IE, and let's be honest, far more blamed IE. The Mozilla Foundation were even cheeky enough to say that they "highly recommend(s) using Firefox to browse the web to prevent attackers from exploiting this problem in Internet Explorer".
Hang on a sec - that statement is nearly as cheeky as Apple saying they were upset with Windows when new iPods were shipped complete with a worm/trojan ...
Let's look at what happened:
- Firefox introduced a security vulnerability by creating a protocol handler that doesn't validate URLs properly
- Mozilla tell everybody to use Firefox and avoid IE so that the vulnerability that they introduced cannot be used
Um no... when the *Firefox* product creates a vulnerability on my system, then Mozilla fixes the problem, they don't tell me to stop using their competitor's product - especially when the protocol handler created is not for the exclusive use of Internet Explorer.
"Note: Other Windows applications can be called in this way and also manipulated to execute malicious code. This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer."
Sorry, but I'm siding with Jesper:
"It is clear from the documentation that it is incumbent upon the application to validate the URL string. If the application can accept, and process, dangerous commands through its protocol handler, as Firefox does, it is even more critical that the application take care to validate the URL before processing it. In fact urlmon.dll even provides such a way."