Mozilla Security Blog

Window Snyder’s Blog

Archive for 'Security Updates' Category

Status update for Chrome Protocol Directory Traversal issue

29 January 2008

Background on this issue is available here.
Impact
An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default.  Only users that have installed “flat” packed add-ons are at risk.  Discussion about “flat” packaged add-ons is here.  A partial list of “flat” packed add-ons is available […]

3 Comments »

Firefox 2.0.0.7 now available

18 September 2007

Firefox 2.0.0.7 was released this afternoon to patch the QuickTime issue described here. This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple. I would like to personally thank the individuals at Apple who worked with us and the engineers at Mozilla that work so […]

No Comments »

Firefox 2.0.0.6 now available

30 July 2007

We’ve just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external programs. This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous […]

1 Comment »

Fix for Windows URL Protocol Handling Problem in Firefox 2.0.0.5

18 July 2007

Firefox 2.0.0.5 is now available and there is a fix for the URL protocol handling issue described here. We warned that other Windows applications may be vulnerable to this Internet Explorer issue, and on Sunday Nate Mcfeters, Billy Rios, and Raghav Dube posted a proof of concept that demonstrates the same attack through Internet […]

21 Comments »

Security Issue in URL Protocol Handling on Windows

10 July 2007

Today security firm Secunia released an advisory on a security issue found (apparently) simultaneously and independently by Greg MacManus and Billy Rios based on a previously reported issue in Safari found by Thor Larholm.
Any Windows application that calls a registered URL protocol without escaping quotes may be used to pass unexpected and potentially dangerous data […]

23 Comments »

Time to Deploy improvement of 25 percent

18 June 2007

Since all software has bugs, it’s more important to consider how long it takes to get a fix out when a security issue is discovered than it is to count bugs. Number of vulnerabilities identified is a function of how many bugs are present, but is probably more influenced by things like who is […]

7 Comments »