Mozilla issues security updates

By Dawn Kawamoto
Staff Writer, CNET News

Print
E-mail
Share

Related Stories: Another denial-of-service bug found in Firefox 2
November 1, 2006; Firefox update patches security holes
September 15, 2006

The Mozilla Foundation has issued "critical" security updates to vulnerabilities discovered in the Firefox browser, Thunderbird e-mail client and SeaMonkey application suite.

Flaws were found in versions of the open-source software prior to both Firefox 2.0.0.1 and Firefox 1.5.0.9, as well as prior to Thunderbird 1.5.0.9 and SeaMonkey 1.0.7, Mozilla said Tuesday.

The vulnerabilities could potentially be exploited to conduct cross-site scripting attacks, to let malicious attackers launch a remote execution of code on users' computers, and to expose sensitive information, according to an advisory from security company Secunia.

While Mozilla labeled the updates "critical," Secunia rated them "highly critical."

Mozilla advised people to forgo enabling JavaScript in Thunderbird and the mail portions of its Internet application suite SeaMonkey. People are also advised to download SeaMonkey 1.0.7, which is undergoing its final paces of testing.

"Some of these (flaws) were crashes that showed evidence of memory corruption, and we presume that at least some of these could be exploited to run arbitrary code with enough effort," according to one of six-related "critical" Mozilla security advisories issued Tuesday.

Last month, Mozilla also issued "critical" security updates for Firefox, Thunderbird and SeaMonkey. Like the new flaws, the earlier ones involved the potential for malicious attackers to take hold of users' systems.

See more CNET content tagged:
Mozilla Thunderbird, Mozilla Corp., security update, XSS, Firefox

Add a Comment (Log in or register) 22 comments

A bit misleading, don't you think

by FOSS4evR December 20, 2006 9:43 AM PST

Okay, I've come to not expect "fair and balanced"(TM) reporting from c|Net but come on.

"While Mozilla labeled the updates "critical," Secunia rated them "highly critical.""

Of course Mozilla ONLY labeled the updates "critical", Mozilla's impact key ONLY goes up to critical.

This is just poor journalism.

Reply to this comment

You're a moron!
by anarchyreigns December 20, 2006 10:09 AM PST: <eom>; View reply
Processing

Secunia is a "panic the user" organization
by extinctone December 20, 2006 10:11 AM PST: Their money comes from users who succumb to their panics so they have a "rating" scale that's built to push people's panic buttons. Otherwise people would look at the definition of "critical" and understand that adding "extremely" to it is an exercise in redundancy.; View reply
Processing

Not really much of an issue...

by umbrae December 20, 2006 10:32 AM PST

Since most FF users use NoScript. Most pages I visit never run one line of JavaScript period. Cross Site scripting never happens until I implicitly trust both sites.

Reply to this comment

geek-minded assumptions
by sjkx December 20, 2006 10:52 AM PST: Claiming that "most FF users use NoScript" is a presumptuous
generalization. Frankly, my guess would be that most FF users
don't even know what NoScript is/does.; View all 2 replies
Processing

unpatched flaw in Firefox 2.0.0.1 allows to steal the passwords
by pip_z December 20, 2006 11:43 AM PST: unpatched flaw in Firefox 2.0.0.1 allows to steal the passwords

test here: http://www.info-svc.com/news/11-21-2006/rcsr1/; Reply to this comment

NoScript doesn't protect from SVG remote code execuion in Firefox 2.
by pip_z December 20, 2006 11:46 AM PST: NoScript doesn't protect from SVG remote code execuion in Firefox 2.; Reply to this comment

NoScript doesn't protect from SVG remote code execution in Firefox 2.
by pip_z December 20, 2006 11:48 AM PST: NoScript doesn't protect from SVG remote code execuion in Firefox 2.; Reply to this comment

NoScript doesn't protect from SVG remote code execution in Firefox 2.
by pip_z December 20, 2006 11:48 AM PST: NoScript doesn't protect from SVG remote code execution in Firefox 2.; Reply to this comment

flaw in Firefox 2.0.0.1 allows to steal the passwords
by pip_z December 20, 2006 11:50 AM PST: unpatched flaw in Firefox 2.0.0.1 allows to steal the passwords

test here: http://www.info-svc.com/news/11-21-2006/rcsr1/; Reply to this comment

Opera...

by Mendz December 20, 2006 5:21 PM PST

... is the most secured. Compare:

Opera 9 - 2 patched
http://secunia.com/product/10615/?task=advisories

FF 2 - 1 patched; 1 unpatched
http://secunia.com/product/12434/?task=advisories

IE 7 - 3 unpatched
http://secunia.com/product/12366/?task=advisories

Safari 2 - 2 patched; 3 unpatched
http://secunia.com/product/5289/?task=advisories

Hmmm...

Reply to this comment

1-%...
by Ryo Hazuki December 20, 2006 9:44 PM PST: The fact that a comapany called Secunia doesn't know any unpatched flaws, at a specific time, for a product that is used by less than 1% of people, doesn't mean there are no unpatched flaws and that, thus, doesn't mean that product is the most secured one.
Afterall, it's much more likely to find flaws for something that is used by more than 80% (overal percentage, not IE7-specific, but still a metric) of people, wouldn't you agree?; View all 2 replies
Processing

And more will follow
by Technoswamp December 21, 2006 8:26 AM PST: A prediction: Google's motto is 'Do no Evil' yet their floatation has made them less warm and fuzzy and more corporate. As Firefox matures as a business there will be the temptation to 'make money' (even though they make millions of dollars through search partnerships already!), will bring Firefox into the corporate lime light and the tecnical self appointed elite will turn on them. They will become a traget just like Microsoft - for the ethical, and not-so-ethical hackers looking to 'kick' the corproate man for turning against the geekorati. Or, in the case of 'security' companies, to make a name for themselves.

Watch this space...; Reply to this comment

Don't you all ever get tired...
by System Tyrant December 22, 2006 1:00 PM PST: of this constant bickering about who's right and who's wrong or which is better and which is worse.

Their is no truth to be found. It's all a one sided story. The only real difference between any of us is which side we choose to believe.; Reply to this comment

@FOSS4evR

by anarchyreigns December 22, 2006 1:05 PM PST

Look, you sack of ****, here are just two here. I'll leave it to you with your third grade education to find the rest. Ya know, why don't you do us all a favor and leave this board, as it's the low rent wannabees who have no understanding of how little they know, that ruin it for the rest of us?
http://news.yahoo.com/s/nf/20061220/bs_nf/48890
http://www.cio-today.com/news/Mozilla-Patches-Firefox-and-Thunderbird/story.xhtml?story_id=110003SJ1ECS

Reply to this comment

I disagree.
by System Tyrant December 22, 2006 1:19 PM PST: It's people like you that ruin it for the rest of us. You are the sore thumb here. Even your nickname says that.

Why don't you leave and find some place else to insult people.

See all 22 Comments >>

Latest tech news headlines

Report: AMD Phenom II chips echo Intel's i7
Posted in Nanotech - The Circuits Blog by Brooke Crothers

December 1, 2008 7:00 PM PST
EFF to court: Don't shield telecoms from illegal-spying suits
Posted in News - Digital Media by Greg Sandoval

December 1, 2008 5:42 PM PST
Apple suggests Mac users install antivirus software
Posted in News - Security by Elinor Mills

December 1, 2008 5:30 PM PST
See all headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets: Market news, charts, SEC filings, and more; Related quotes; Dow Jones Industrials (-7.70%) -679.95 8,149.09; S&P 500 (-8.93%) -80.03 816.21; NASDAQ (-8.95%) -137.50 1,398.07; CNET TECH (-7.06%) -77.09 1,014.20

Inside CNET News

Scroll Left Scroll Right

Nanotech - The Circuits Blog
Report: AMD Phenom II chips echo Intel's i7
A China-based Web site posts details of AMD's upcoming Phenom II processors with model numbers that seem to match Intel's Core i7 processors.
Gallery
Photos: Space station marks a decade aloft
The first pieces of the International Space Station went into orbit 10 years ago. Now a full-fledged lab facility, it continues to grow.
Security
Apple suggests Mac users install antivirus software
Apple changes its tune by advising Mac users to install antivirus software in nod that even Mac users aren't immune to rising malware threats.
Beyond Binary
Microsoft apologizes for Cashback glitches
Crush of traffic on Black Friday leads shoppers to encounter problems ranging from site sluggishness to the wrong amount of cash back showing in their account.
Video
A toast to online wine
Digital Media
EFF to court: Don't shield telecoms from illegal-spying suits
The Internet advocacy group will argue that its unconstitutional to protect telecoms after they helped Bush administration unlawfully spy on Americans.
Video
Wi-Fi while you fly
Politics and Law
Obama team changes Change.gov copyright policy
Change.gov has a less restricted copyright policy, now that it is copyrighted under a Creative Commons license.
Green Tech
Ta ta, Tesla
Are the Valley-based VCs and big-wigs who back Tesla Motors really serious about asking the federal government for low-interest loans?
Gallery
Photos: Top-rated reviews of the week
Here are a few of CNET Reviews' favorite items from the past week, including Adobe suites, laptop bags, and a Panasonic flat panel TV.
Webware
No escaping Britney Spears: 2008's top searches
Celebrities dominated the top search terms at Yahoo in 2008. Also: people ask Ask.com how to get pregnant and what "maverick" means.
Green Tech
Obama's security adviser calls for energy action
James Jones, incoming national security adviser, is a retired general who advocates for a diverse energy supply and clean-energy technologies in the name of national security.