Avira - TechBlog » Firefox

Further critical Updates

Dirk Knop — Fri, 06 Nov 2009 06:48:32 +0000

Already last week Opera released version 10.01 of its Web Browser. It closes some security holes. At least one of them can lead to code injection (for example to infect the computer with a Trojan). Users are advised to install the new version fast.

Meanwhile, the Mozilla Foundation has updated Firefox to version 3.5.5. The developers only mention stability fixes, this release doesn’t seem to fix security issues. Anyhow it is a good idea to install the update.

There was another security Update for Sun Java. Version 6 Update 17 fixes a lot of security vulnerabilities. Those flaws may lead to remote code execution, thus updating immediately is recommended.

What else? Adobe has released Shockwave Player 11.5.1.602 which also closes security holes in the software which allow for remote malware injection. Users of the Shockwave Player (which is different from Adobe Flash Player) should also update their software immediately.

Today also Google released an update for its Chrome browser. It fixes 2 security problems which put users at risk.

Dirk Knop
Technical Editor

Firefox 3.5.4 closes 11 security holes

Dirk Knop — Wed, 28 Oct 2009 06:43:18 +0000

The Mozilla Foundation just released Firefox 3.5.4 – the new version closes 11 security holes of which 6 are considered critical from the Mozilla developers. Those vulnerabilities can be abused by cybercriminals to inject malicious code like a Trojan into the computer. The release also fixes a few non-security related issues.

Some of the bugs also affect earlier versions of the Mozilla browsers and get fixed within Firefox 3.0.15 (though it is recommended to update to Firefox 3.5) and in SeaMonkey 2.0. Thunderbird doesn’t get mentioned in the security advisories.

As some of the vulnerabilities are quite serious security issues, users should update the software as soon as possible. The easiest way is to go to the “Help” menu and choose “Check for Updates”.

Dirk Knop
Technical Editor

Firefox Update closes Drive-by-Download-Flaws

Dirk Knop — Thu, 10 Sep 2009 06:31:55 +0000

The Mozilla developers released Firefox 3.5.3, which fixes overall 4 security holes in the Web browser. 3 of them are considered to be critical and allow for executing code within the browser with highest privileges and to compromise the computer. Attackers could abuse these vulnerabilities to inject for example Trojans and other malware onto the victim’s computer – just with manipulated web pages.

With Firefox 3.5.3, the developers also added a nice new feature to the software: It’ll warn users if their Adobe Flash Player plug-in is outdated and must be updated. They’ll extend this feature for other plug-ins, according to the Mozilla Security Blog.

Please install the update as soon as possible. The easiest way is to go to the Help menu and click on “Check for Updates”. You can also download the whole installation package on the Firefox web site.

Dirk Knop
Technical Editor

Mozilla Foundation fixes 2 vulnerabilities in Firefox

Dirk Knop — Tue, 04 Aug 2009 05:28:46 +0000

The developers of the Mozilla Foundation just released Firefox 3.5.2 to close two critical rated security vulnerabilities. One flaw in the web browser could be abused to spoof certificates for web servers. This could happen as the browser didn’t parse the domain name in the certificate correctly and would stop parsing at a NULL sign. A CA would issue a certificate for <0×00> and the certificate would be valid for , thus allowing for a hidden man-in-the-middle attack.

The second vulnerability could get abused to inject malicious code – for example a Trojan – into the victim’s computer by putting certain regular expressions into a certificate for SSL communication. This happened due to code that was meant to provide backwards compatibility to the non-standard regular expression syntax used by Netscape clients and servers. Now Firefox uses the current industry-standard wild-card syntax.

Update your Firefox as soon as possible by clicking on the Help menu and choosing “Search for Updates”. As other Mozilla products like Thunderbird and SeaMonkey are vulnerable too, apply updates ASAP as well when they get available.

Dirk Knop
Technical Editor

Firefox 3.5.1 closes security hole

Dirk Knop — Fri, 17 Jul 2009 08:06:28 +0000

The Mozilla Foundation released Firefox 3.5.1 today. The new version fixes an issue which could get abused by web sites to inject malicious code into a victim’s computer. The vulnerability was in the Just-In-Time compiler for JavaScript which is a new feature in Firefox 3.5. Please update your Firefox to the most recent version by clicking on “Help” and selecting “Search for updates” now.

Dirk Knop
Technical Editor

6 Patches from Microsoft; Vulnerability in Firefox 3.5

Dirk Knop — Wed, 15 Jul 2009 05:37:29 +0000

Microsoft released 6 security bulletins as announced. The actively exploited security hole in a video ActiveX component gets fixed by the updates, also flaws in DirectShow, the Embedded OpenType Font Engine, VirtualPC and -Server, ISA Server and Office 2007. A fix for the recently discovered vulnerability in Office, ISA Server 2004 and 2006 which also gets exploited on the net already is still missing though – so please apply the workarounds described in Microsofts security advisory or use the provided Fix-it-tool.

Microsoft expects exploits for all fixed vulnerabilities within the next 30 days according to the Exploitability Index of the security bulletin summary. The patches should be applied as soon as possible therefore to protect the own computer and/or network.

The Mozilla Foundation issued a warning of a security hole in the Just-in-time compiler for JavaScript of the new Firefox 3.5 web browser. As exploit code is already publicly available they recommend to turn of the compiler temporarily. From the security advisory:

Enter about:config in the browser’s location bar.
Type jit in the Filter box at the top of the config editor.
Double-click the line containing javascript.options.jit.content setting the value to false.

The developers are currently working on a fix. Until then it is a good idea to implement the described workaround.

Dirk Knop
Technical Editor

Microsoft warns of critical DirectX flaw

Dirk Knop — Fri, 29 May 2009 06:16:46 +0000

Microsoft issued a warning about a security vulnerability in DirectX which is reportedly getting actively exploited. The affected component quartz.dll is removed in Windows Vista and 2008 Server (and also in Windows 7), so Windows 2000, XP and 2003 Server are vulnerable. With those operating systems, a user just needs to open a manipulated QuickTime file to infect her computer – independent of the Browser or Software used.

From Microsofts Security Response Center: “The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.”

The company offers a solution in a knowledgebase article. Users can apply a fix by clicking on the “fix it”-link in that article with Internet Explorer – currently the fix is undergoing maintenance obviously though. Microsoft writes that it wants to ship a patch as soon as it is production stable. It is unclear weather this means that they want to ship an update out-of-band or if it is ready for the June Black Tuesday.

Dirk Knop
Technical Editor

Mozilla updates

Dirk Knop — Wed, 22 Apr 2009 05:48:10 +0000

The Mozilla Foundation has closed several security holes in its products which allow attackers to inject malicious code for example via manipulated web pages. Affected are Firefox, Thunderbird and the Seamonkey browser suite.

An overview of the vulnerabilities is available at the Mozilla website. As the Mozilla based web browsers are highly popular, the cybercriminals develop malware for them as well. So update your Firefox to the current version 3.0.9, Thunderbird to 2.0.0.22 and Seamonkey to 1.1.17 or newer as soon as possible!

Dirk Knop
Technical Editor

Microsoft Windows, Firefox 3 Update and Spam

Dirk Knop — Thu, 13 Nov 2008 07:08:09 +0000

The developers from the Mozilla project just released an update for Firefox 3, bumping the version number to 3.0.4. The patch remedies 11 vulnerabilities of which 4 are considered crititcal by the Mozilla developers. They may lead to execution of injected code (like a trojan) so please update ASAP.

Microsoft published 3 patches for critical weaknesses in it’s operating systems and the office solutions on November Black Tuesday which also may allow attackers to remotely take over users’ machines. Two patches close holes in Microsofts XML-parser (XMLcore). Another update is available which helps with a security problem which is known for roundabout 7 yeras now, a so called SMB reflector attack: An attacker on a network sends back credentials which he sniffed earlier and gets access to the SMB client. Users and companies are well advised to install the patches soon.

Another story is making rounds in the media concerning an ISP from San Jose in the U.S., McColo. That ISP provided “bullet proof hosting” which is often used for Command&Control-servers for botnets. The two major internet carriers which were connecting McColo to the internet pulled the plug yesterday. Since then the spam rate on the net dropped down to half of the usual amount, sometimes even to 10%. Unfortunately, this won’t hold long as the criminals are loosing profit and for sure look for alternatives.

Dirk Knop
Technical Editor