The Mozilla Foundation has published a fix for a "critical" JavaScript vulnerability in the Firefox browser and the SeaMonkey application suite. The fix, released Monday, targets Firefox versions 2.0.0.2 and 1.5.0.10, as well as SeaMonkey versions 1.1.1 and 1.0.8. An earlier fix for a JavaScript problem allowed scripts from Web content to execute arbitrary code, the Mozilla Foundation said in a security update.
The vulnerability allowed uniform resource identifiers, or URIs, in image tags to be executed even if JavaScript was disabled in the program preferences, Mozilla said. Disabling JavaScript does not protect against the flaw, so the foundation recommended that users upgrade the applications to new versions. Mozilla's Thunderbird e-mail client was not affected by the vulnerability, it said.
News source: PC World
The vulnerability allowed uniform resource identifiers, or URIs, in image tags to be executed even if JavaScript was disabled in the program preferences, Mozilla said. Disabling JavaScript does not protect against the flaw, so the foundation recommended that users upgrade the applications to new versions. Mozilla's Thunderbird e-mail client was not affected by the vulnerability, it said.
News source: PC World
Last edited by Davebo on 07 Mar 2007 - 14:38
Did you even read the article?
Did you even read the article?
nice of you to prove yourself wrong, the fix was released monday, not the firefox/seamonkey versions
So, um, a fix was release Monday, nearly two weeks after 2.0.0.2 was released? Evidently there's something I don't understand, so if anyone can clear it up that'd be great.
edit: The article is basically bullplop and the author very confused. The
The vulnerability allowed uniform resource identifiers, or URIs, in image tags to be executed even if JavaScript was disabled in the program preferences, Mozilla said.
This fix caused a regression:
- #368655 [Core: DOM]-[FIX]Easy DoS by <img src="java script:for(;; );"> even if javascript disabled [All]
which is a DOS issue, and was fixed in Fx 2.0.0.2, Fx 1.5.0.10, SM 1.0.8 and 1.1.1. None of which were released on Monday.Last edited by Cryton on 07 Mar 2007 - 16:13
A quick 2.0.0.3 release is in the pipeline to fix some stupid regressions that 2.0.0.2 introduced.
http://www.zdnet.com.au/news/software/soa/...39274063,00.htm
http://www.mozilla.org/security/announce/2...fsa2007-09.html
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.