April 19, 2006 2:40 PM PDT

Mozilla users urged to upgrade

By Tom Espiner
Staff Writer, CNET News

Related Stories

Firefox update kills security bugs, adds Mac support

 April 13, 2006
Users have been urged to upgrade to the latest versions of Mozilla's software to protect themselves from a series of critical security holes.

The U.S. Computer Emergency Readiness Team warned on Monday that earlier versions of Firefox, and other Mozilla software based on Firefox code, contain a clutch of vulnerabilities that expose users to attack.

The Mozilla Foundation released a new version of Firefox last week, version 1.5.0.2, which it said contained fixes for several security flaws.

According to security firm Secunia, there are a total of 21 flaws in the older versions of Firefox, such as Firefox 1.5, some of which it described as "highly critical."

US-CERT advises people who use Mozilla's e-mail software, Thunderbird, and the Internet application suite Seamonkey to also upgrade to the latest versions (Thunderbird 1.5 and Seamonkey 1.0.1). US-CERT warned that any other products based on older Mozilla components, particularly the Gecko rendering engine, may also be affected.

Firefox has traditionally been seen as being more secure than other Web browsers such as Microsoft's Internet Explorer. This is thought to be the first time that multiple vulnerabilities have been reported in Firefox and the Mozilla suite.

Secunia warned that hackers could exploit the security holes to gain control of computer systems, conduct phishing attacks and bypass security restrictions.

One error that occurs in Firefox would allow arbitrary JavaScript code to be injected into Web pages as they load.

The vulnerabilities were discovered by Mozilla researchers, including Bernd Mielke, Alden D'Souza and Martijn Wargers, as well as by 3Com researchers working on the TippingPoint Zero Day Initiative.

This initiative encourages "responsible disclosure of vulnerabilities" to vendors, to give them time to put out patches before holes are disclosed to the public. TippingPoint started to disclose the holes to Mozilla from December last year.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
Mozilla Corp., TippingPoint Technologies, Firefox, Mozilla Thunderbird, vulnerability

Add a Comment (Log in or register) 116 comments (Showing first 20 comments)
Automatic Updates
by julianrodriguez April 19, 2006 4:09 PM PDT
It's a good thing that from Firefox 1.5 on we have automatic updates.
Reply to this comment View reply
Automatic Updates
by julianrodriguez April 19, 2006 4:09 PM PDT
It's a good thing that from Firefox 1.5 on we have automatic updates.
Reply to this comment View reply
Not so easy now is it?
by dahkness April 19, 2006 5:45 PM PDT
Everyone is always so quick to hop on the MS bashing bandwagon, but as you can see, it?s just not so easy to make an application 100% secure now is it? When something is under the scrutiny of billons of people, even a browser made by The Almighty himself would still be exploited.
It seemed everyone was SOOO quick to talk about how great and secure firefox was back when it was released. Same with mozzilla, netscape, opera, etc. now look at them. Yet another browser thrown ontop of a pile-of-crap browsers.

IE is still the god of web browsing for end-users in Windows. If you cannot figure out how to use it securely and correctly then you should not be infront of a keyboard; You?re slowing down our bandwidth.
Reply to this comment View all 6 replies
Not so easy now is it?
by dahkness April 19, 2006 5:45 PM PDT
Everyone is always so quick to hop on the MS bashing bandwagon, but as you can see, it?s just not so easy to make an application 100% secure now is it? When something is under the scrutiny of billons of people, even a browser made by The Almighty himself would still be exploited.
It seemed everyone was SOOO quick to talk about how great and secure firefox was back when it was released. Same with mozzilla, netscape, opera, etc. now look at them. Yet another browser thrown ontop of a pile-of-crap browsers.

IE is still the god of web browsing for end-users in Windows. If you cannot figure out how to use it securely and correctly then you should not be infront of a keyboard; You?re slowing down our bandwidth.
Reply to this comment View all 6 replies
Cannot trust IE or Firefox
by Tanjore April 19, 2006 5:50 PM PDT
I was using firefox because IE had so many holes. Now firefox seems to have same problems!
Reply to this comment View all 5 replies
Cannot trust IE or Firefox
by Tanjore April 19, 2006 5:50 PM PDT
I was using firefox because IE had so many holes. Now firefox seems to have same problems!
Reply to this comment View all 5 replies
FF is just fine.
by KsprayDad April 19, 2006 6:06 PM PDT
I will continue to use FF given that the Moz Foundation does seem to address security issues quicker than MS and I like the ability to tweak with addons that are not spamware toolbars.

I'm not married to FF but until I hear that it is critically worse than IE I'll stick with it.
Reply to this comment View reply
FF is just fine.
by KsprayDad April 19, 2006 6:06 PM PDT
I will continue to use FF given that the Moz Foundation does seem to address security issues quicker than MS and I like the ability to tweak with addons that are not spamware toolbars.

I'm not married to FF but until I hear that it is critically worse than IE I'll stick with it.
Reply to this comment View reply
US-CERT
by n3td3v April 19, 2006 6:34 PM PDT
This is funny. These guys take so long to give out warnings, that if an attacker was going to use the vulnerabilities, systems would be compromised already. Its like that with all their stuff. Something is post on a mailing list, then 6 days later, U-S CERT are telling people about it. And then, we've got ZDNET, reporting on something U-S CERT published on Monday. This is now Wednesday into Thursday now. So, the whole U-S CERT alert infrastructure, from those guys deciding something is a threat, to rolling out their warning to people, and then onto the Media to let the masses know. Its all too long, if there was a real threat, how the internet would be shutdown by now. US-CERT need a big rethink into their public warning system and coordination with the media, if they are to be affective, when really critical attacks become reality. Thanks, n3td3v
Reply to this comment View reply
US-CERT
by n3td3v April 19, 2006 6:34 PM PDT
This is funny. These guys take so long to give out warnings, that if an attacker was going to use the vulnerabilities, systems would be compromised already. Its like that with all their stuff. Something is post on a mailing list, then 6 days later, U-S CERT are telling people about it. And then, we've got ZDNET, reporting on something U-S CERT published on Monday. This is now Wednesday into Thursday now. So, the whole U-S CERT alert infrastructure, from those guys deciding something is a threat, to rolling out their warning to people, and then onto the Media to let the masses know. Its all too long, if there was a real threat, how the internet would be shutdown by now. US-CERT need a big rethink into their public warning system and coordination with the media, if they are to be affective, when really critical attacks become reality. Thanks, n3td3v
Reply to this comment View reply
Secunia
by n3td3v April 19, 2006 6:43 PM PDT
Professional scene ****** at their best. And paying big bucks to spam Full-Disclosure mailing list footer message, just to get some web traffic, for people to read their verification of third party disclosures. These guys have as much credibility as Robert Lemos talking up Matthew Murphy, some college kid who blogs a lot.
Reply to this comment
Secunia
by n3td3v April 19, 2006 6:43 PM PDT
Professional scene ****** at their best. And paying big bucks to spam Full-Disclosure mailing list footer message, just to get some web traffic, for people to read their verification of third party disclosures. These guys have as much credibility as Robert Lemos talking up Matthew Murphy, some college kid who blogs a lot.
Reply to this comment
Secunia
by n3td3v April 19, 2006 6:43 PM PDT
Professional scene ****** at their best. And paying big bucks to spam Full-Disclosure mailing list footer message, just to get some web traffic, for people to read their verification of third party disclosures. These guys have as much credibility as Robert Lemos talking up Matthew Murphy, some college kid who blogs a lot.
Reply to this comment
Secunia
by n3td3v April 19, 2006 6:43 PM PDT
Professional scene ****** at their best. And paying big bucks to spam Full-Disclosure mailing list footer message, just to get some web traffic, for people to read their verification of third party disclosures. These guys have as much credibility as Robert Lemos talking up Matthew Murphy, some college kid who blogs a lot.
Reply to this comment
Check out Oxygen web browser - for security free browsing
by Dean_Ansari April 19, 2006 8:27 PM PDT
Check out Oxygen browser by NetDIVE, it is free of security Holes that plague IE or FireFox:
http://www.netdive.com/htms/products.htm

And it is Free, of cost & advertising.
Also it is very fast because it does not have extras you don't need for web browsing, such as email, IM, etc., which BTW are one of the main reasons IE & FF have so many security holes.

Cheers :)

P.S., Sorry if this message appears Twice. Not sure the system took it 1st time.
Reply to this comment View all 2 replies
Check out Oxygen web browser - for security free browsing
by Dean_Ansari April 19, 2006 8:27 PM PDT
Check out Oxygen browser by NetDIVE, it is free of security Holes that plague IE or FireFox:
http://www.netdive.com/htms/products.htm

And it is Free, of cost & advertising.
Also it is very fast because it does not have extras you don't need for web browsing, such as email, IM, etc., which BTW are one of the main reasons IE & FF have so many security holes.

Cheers :)

P.S., Sorry if this message appears Twice. Not sure the system took it 1st time.
Reply to this comment View all 2 replies
Apples and Oranges of Open/Closed Source
by April 19, 2006 10:04 PM PDT
Firefox = open-source transparency, more bugs discovered and reported.
IE = security through obscurity, more bugs hidden.

Firefox's transparency will ultimately create a far superior product, but not without a whole bunch of yellow journalism along the way. Apparently "Firefox crushing more bugs" isn't a sexy headline.
Reply to this comment
Wow! A Non-Microsoft browser security issue
by aabcdefghij987654321 April 20, 2006 4:14 AM PDT
C|Net usually does the 'ol copy/paste of titles like "Microsoft IE security issues disclosed". How many times since the last non-Microsoft browser? 20, 30 times perhaps? Yeah, nothing is perfect. But keep the perspective true.
Reply to this comment
Wow! A Non-Microsoft browser security issue
by aabcdefghij987654321 April 20, 2006 4:14 AM PDT
C|Net usually does the 'ol copy/paste of titles like "Microsoft IE security issues disclosed". How many times since the last non-Microsoft browser? 20, 30 times perhaps? Yeah, nothing is perfect. But keep the perspective true.
Reply to this comment
Wow! A Non-Microsoft browser security issue
by aabcdefghij987654321 April 20, 2006 4:22 AM PDT
CNet usually does the 'ol copy/paste of titles like "Microsoft IE security issues disclosed". How many times since the last non-Microsoft browser? 20, 30 times perhaps? Yeah, nothing is perfect. But keep the perspective true.
Reply to this comment
 See all 116 Comments >>
Powered by Jive Software
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right

  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Coop's Corner

    Chris Shipley 1, Internet lynch mob 0

    Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    Google-focused satellite enters orbit

    The search titan has exclusive rights among online mapping sites to images from the new GeoEye-1 satellite, which launched Saturday.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    At the TechCrunch50, an unfair advantage?

    Inside baseball: How Webware and other blogs can compete with TechCrunch in covering the TechCrunch50 event.

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET