Archive for 'Security' Category
Clarification on Vietnamese Language Pack Compromise
12 May 2008As today’s headlines confirm, there is still a lot of confusion about what happened to the Vietnamese language pack, who is impacted, and what that impact really is.
First of all, there is no virus in the Vietnamese language pack. Vietnamese language pack for Firefox users have not been infected with a virus. The remnant we […]
Compromised file in Vietnamese Language Pack for Firefox 2
7 May 2008The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions.
Everyone who downloaded the most recent Vietnamese language pack […]
Status update for Chrome Protocol Directory Traversal issue
29 January 2008Background on this issue is available here.
Impact
An attacker can use this vulnerability to collect session information, including session cookies and session history. Firefox is not vulnerable by default. Only users that have installed “flat” packed add-ons are at risk. Discussion about “flat” packaged add-ons is here. A partial list of “flat” packed add-ons is available […]
chrome protocol directory traversal
22 January 2008Issue
A vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present resulting in potential information disclosure.
Impact
When a chrome package is “flat” rather than contained in a .jar the directory traversal allows escaping the extensions directory and reading files in a predictable location on the disk. Many add-ons are packaged in […]
Read past the headlines - Firefox is fixed faster
17 January 2008Secunia released a report this week that discusses a few aspects of the security landscape for 2007. Techworld ran a story based on this report with this headline: “Red Hat and Firefox more buggy than Microsoft.” While the headline is misleading, the Techworld article actually tells an interesting story.
Counting security vulnerabilities to compare the security […]
BasicAuth dialog realm value spoofing
4 January 2008Issue
The realm value in a basic authentication dialog may be spoofed by a attacker to trick users into thinking the authentication request is coming from a different, trusted site.
Impact
When displaying the basic authentication dialog, Firefox displays the actual source of the request at the end of the dialog text. Some other browsers display the request […]
Critical Vulnerability in Microsoft Metrics
30 November 2007Jeff Jones, a director of security strategy at Microsoft published a report today about counting bugs. I blogged a few months ago about why I think counting bugs is less than useful:
Since all software has bugs, it’s more important to consider how long it takes to get a fix out when a security […]
jar: Protocol XSS Security Issues
16 November 2007Issue
jar: protocol is not restricted to java archives and will open any zip format file. An attacker can use this to evade filtering on sites that allow users to upload content and use this initiate a cross site scripting attack.
Impact
Firefox supports the Java Archive URI scheme that allows the addressing of the contents […]
Meet the Mozilla Security Group
1 October 2007How can Mozilla be open about security issues without exposing users to additional risk?
Being open about security issues means that users have the information they need to understand their risk, that the community can contribute to the security process, and that other software development projects can benefit from our experiences. Unfortunately, sharing the details of […]
Firefox 2.0.0.7 now available
18 September 2007Firefox 2.0.0.7 was released this afternoon to patch the QuickTime issue described here. This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple. I would like to personally thank the individuals at Apple who worked with us and the engineers at Mozilla that work so […]