Mozilla Firefox 22.214.171.124 Released with Fix for firefoxurl:// Exploit
Wednesday July 18th, 2007
Mozilla Firefox 126.96.36.199 has been released and is currently being distributed to Firefox 2 users via the application's built-in software update system. The browser upgrade fixes several security bugs, which are detailed in the Firefox 188.8.131.52 section of the Mozilla Foundation Security Advisories page.
Firefox 184.108.40.206 includes a fix for the firefoxurl:// security exploit, which allows an attacker to use Microsoft Internet Explorer to trick Firefox into executing malicious code. Whether Firefox or IE is responsible for the flaw has been a matter of debate over the past week. The Mozilla Foundation security advisory about the firefoxurl:// issue maintains that it's a problem in IE and notes that other applications could be exploited in the same way. Others have argued that it's Firefox's responsibility to vet incoming data (something 220.127.116.11 now does).
Firefox 18.104.22.168 can be downloaded from the Firefox product page. The Firefox 22.214.171.124 Release Notes contain more general information about the upgrade. A similar update for Mozilla Thunderbird is expected shortly.
#1 Clarification on the "argument"
Wednesday July 18th, 2007 6:12 AM
Just to clear the blame game up once and for all, both IE and Firefox are to blame. According to Thor Larholm:
"Internet Explorer and Firefox are both to blame. Firefox could have registered their URL protocol handler differently, for example with pure DDE, but IE is still to blame for not escaping ” (quote) characters."
#12 Re: Clarification on the "argument"
Friday July 20th, 2007 10:22 AM
Well, at least one of them is now fixed. :-)
#2 MFSA 2007-24
Wednesday July 18th, 2007 6:19 AM
MFSA 2007-24 at http://www.mozilla.org/security/announce/2007/mfsa2007-24.html is amusing. It starts off with a standard description of the problem, then segues into a a thoroughly post-modern discussion about the severity:
"Dan says: 'stealing sensitive data' should be sg:high (possibly lowered to sg:moderate if it's a completely unreliable attack, involves unlikely user interaction, or not really any potential victim sites matching the criteria. There are enough ajaxy sites potentially vulnerable to stick with 'high') Boris, which is it? Can you massage this description into just the cases we know about?"
#3 MSIE Bug
Wednesday July 18th, 2007 7:20 AM
Good for Firefox! It doesn't matter who's at fault. If it harms Fx users, Fx should fix it and let M$ squabble and point fingers and look like idiots. If it only happens when Fx is installed on system, I assume people are running both browsers, side-by-side as a test. It's good to make Fx look best and most concerned with their users' safety and protection.
#4 I agree
Wednesday July 18th, 2007 10:38 AM
I agree with HwC in what he said above. The fact that Mozilla fixed this First and Foremost kind of leaves M$ sitting there now with egg on their faces showing the world just how much, and how serious they are, about their client's/user's security.
BRAVO Mozilla! Two thumbs up for yet another job well done!
#5 x86_64 Linux version ?
Wednesday July 18th, 2007 12:01 PM
I fully agree - Mozilla has acquited itself very well indeed in this incident - much better (to, I suspect, no one's surprise) than Microsoft. But one question : is there a native x86_64 version for Linux, or are we going to have to force the architecture to conform to 32-bit standards, as in so many other applications ?...
#8 Re: x86_64 Linux version ?
Thursday July 19th, 2007 10:40 AM
There is no official x86_64 version for Linux directly from Mozilla (never has been). You can build it yourself if you like, I believe there are instructions for this floating around the internet.
Typically, if you have an x86_64 Linux distro, an x86_64 version of Firefox is provided by the people behind it and updates are delivered through the distro's online package system. (This is how it is in Fedora anyway, which I use from time to time.)
#6 What is the status of Thunderbird ?
Wednesday July 18th, 2007 5:07 PM
The US-CERT says there's also a Thunderbird 126.96.36.199. http://www.us-cert.gov/cas/techalerts/TA07-199A.html B.J.
#10 Re: What is the status of Thunderbird ?
Friday July 20th, 2007 1:23 AM
To answer my own question, a Thunderbird update is now available. B.J.
#7 Useless to blame anyone
Wednesday July 18th, 2007 5:48 PM
As I stated in the other topic, I launched the proof of concept from SeaMonkey, a fellow Gecko application, not Internet Explorer. I don't see why IE should be blamed when it's not the only one that is vulnerable of executing the exploit. In any case, it's just good that it's fixed now. I don't really care who is at fault, just that there's an official fix for the problem.
#9 Mozilla Firefox, Portable Edition 188.8.131.52 Released
Thursday July 19th, 2007 12:46 PM
The portable version of Firefox that runs from USB flash drives, iPods, portable hard drives, etc has been updated to 184.108.40.206 as well: http://portableapps.com/news/2007-07-18_-_firefox_portable_220.127.116.11
#11 Two Questions
Friday July 20th, 2007 9:28 AM
1. With all the public disclosures about the vulnerability, why is access to bug #384384 still restricted? Try viewing https://bugzilla.mozilla.org/show_bug.cgi?id=384384
2. What purposes do the firefoxURL and firefoxHTML protocols serve? I have seen comments that the protocols are for interfacing with Windows Vista but no specifics.
#13 I use SuSE Linux...so I dont need this release ;)
Thursday July 26th, 2007 5:06 PM
I use SuSE Linux...so I dont need this release ;) Thank goodness for that! ~Amber~