Firefox and Thunderbird Critical Updates
On June 1st, Mozilla, the creators of the highly popular Open Source applications, such as Firefox and Thunderbird (alternate Internet browser and e-mail client), released an update. The update addresses several vulnerabilities in both applications with more than five of them getting a “highly critical” rating from two very reputable security companies (Secuna, ZDNet), and the Mozilla corporation itself.
For most Firefox 1.5 users, this update initiated automatically after you ran the program again, once the patches were released. Older Firefox users of 1.0, which had the last update of 1.0.8, have no patch to mend the browser’s vulnerabilities. This of course, makes it a huge security risk to keep using this version. If you do still use the older version of Firefox, you are advised to update immediately.
Verifying the Firefox Version:
Mozilla does post a list of all the vulnerabilities of their products complete with a list of what patches fixed what vulnerabilities. I have posted a summary of the list from Mozilla’s site and you can click on the link at the end of the list for more complete details.
Firefox’s 12 Vulnerabilities Patched by the Recent Update:
1. Privilege escalation using AddSelectionListener.
2. Web site XSS using BOM on UTF.
3. File stealing by changing input type (variant).
4. “View Image” local resource linking (Windows).
5. Buffer overflow in crypto.signText.
6. Remote compromise via content defined setter on object prototypes.
8. Privilege escalation through XUL persist.
10. HTTP response smuggling.
11. Fixes for crashes with potential memory corruption.
12. EvalInSandbox escape (Proxy Autoconfig, Greasemonkey).
For more information regarding details of the vulnerabilities, visit Mozilla’s Known Vulnerabilities page.
If you need to update your Firefox 1.5 or you just want to make sure you have the latest update, simply open up Firefox and from the main interface, go to Help, Check for Updates.
Now, if you have Firefox 1.0 and need to jump on board with the 1.5 version, you don’t need to uninstall the current version. Simply go to Mozilla’s Firefox download page and follow the procedure for downloading and installing the most current version of Firefox 1.5. After this is done, you may want to make sure you have the latest updates by following any of the procedures above (you should be updated if this is a new install). With that out of the way, you can enjoy browsing the Internet using your red-tailed browser free of worries. Until the next vulnerability, that is.
In addition to the Firefox patch, there is also a fix for the popular Outlook Express alternative from Mozilla, called Thunderbird. The vulnerabilities are a subset of the holes Mozilla patched in Firefox the same day, with only one of the “highly critical” rated vulnerabilities affecting it, however.
If you prefer to use Thunderbird as your e-mail client and are unsure whether or not you are up to date, the screenshots below should help get you all set.
If you open up Thunderbird and go to Help, About Mozilla Thunderbird, a small window will pop up displaying what build or version you are running (you should be using 220.127.116.11).
If your install of Thunderbird didn’t update for whatever reason, you can manually perform the update from the Help, Check for Updates option from the main interface.
And again, with Thunderbird updated, you shouldn’t have to worry about too much until the next vulnerability.
So until next week, stay safe out there.
~ Chad Stelnicki