09.16.09 - 02:43pm
I wrote last week about a new project we’ve started, informing our users when they’re running out of date versions of popular plugins. We focused our initial efforts on the Adobe Flash Player and now, a week after launch, Mozilla’s Numerator, Ken Kovash, has a blog post up looking at the results.
Those results have been [...]
08.25.09 - 03:29pm
The best way for users to stay safe online is to use an updated browser. While most Firefox users get updated quickly, some fall behind for various reasons. We’re looking for ways to increase uptake while still preserving user choice.
Ken Kovash and Eric Hergenrader surveyed users who have update-checking enabled but repeatedly chose [...]
01.29.08 - 05:33pm
Background on this issue is available here.
Impact
An attacker can use this vulnerability to collect session information, including session cookies and session history. Firefox is not vulnerable by default. Only users that have installed “flat” packed add-ons are at risk. Discussion about “flat” packaged add-ons is here. A partial list of “flat” packed add-ons is available [...]
09.18.07 - 03:09pm
Firefox 2.0.0.7 was released this afternoon to patch the QuickTime issue described here. This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple. I would like to personally thank the individuals at Apple who worked with us and the engineers at Mozilla that work so [...]
07.30.07 - 09:11pm
We’ve just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external programs. This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous [...]
07.18.07 - 11:49am
Firefox 2.0.0.5 is now available and there is a fix for the URL protocol handling issue described here. We warned that other Windows applications may be vulnerable to this Internet Explorer issue, and on Sunday Nate Mcfeters, Billy Rios, and Raghav Dube posted a proof of concept that demonstrates the same attack through Internet [...]
07.10.07 - 02:04pm
Today security firm Secunia released an advisory on a security issue found (apparently) simultaneously and independently by Greg MacManus and Billy Rios based on a previously reported issue in Safari found by Thor Larholm.
Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data [...]
06.18.07 - 03:35pm
Since all software has bugs, it’s more important to consider how long it takes to get a fix out when a security issue is discovered than it is to count bugs. Number of vulnerabilities identified is a function of how many bugs are present, but is probably more influenced by things like who is [...]