Critical Flaws Open Up Firefox 2.0x To Attack

Critical Flaws Open Up Firefox 2.0x To Attack

Daniel Fleshbourne on 03 July 2008 - 13:12 · 14 comments & 7522 views

Advertisement (Why?)

Secunia researchers detected numerous security vulnerabilities in the Mozilla Firefox 2.0x Web browser, many of which enable malicious attackers to hack into vulnerable systems and either shut down or take complete control of a user's computer. Researchers at Secunia, a Copenhagen, Denmark-based security company specializing in vulnerability assessment and management, issued a security advisory Wednesday, warning users of multiple errors they deemed "highly critical."

If exploited, the critical vulnerabilities could potentially allow remote attackers to conduct cross-site scripting and spoofing attacks, bypass security restrictions, disclose sensitive or system information, potentially compromise a user's system, access a user's system or launch a denial of service attack, according to the advisory.

View: The full story @ CRN

About the Author

Full name: Daniel Fleshbourne
User name: Daniel
Contact: via forum PM
Submissions: View All
More: View Bio New!

Post a comment · Send to friend Comments · There are 14 additional comments

(2 replies) #1 markjensen on 03 Jul 2008 - 13:26

Is it just me, or does it seem that the Mozilla team has been focusing too much on 3.x while letting more and more items go unmaintained in 2.x?

#1.1 +stevember on 03 Jul 2008 - 13:40

Nah, its just Firefox gaining larger userbase as a result more out there are looking for exploits in it.

It will probably get worse.

#1.2 markjensen on 03 Jul 2008 - 13:59

(stevember said @ #1.1)

Nah, its just Firefox gaining larger userbase as a result more out there are looking for exploits in it.

It will probably get worse.

Exploitable code either exists, or it doesn't. A larger userbase makes for a more tempting target. But I am not talking about number of issues. I was talking about lack of patches. And patches have nothing to do with userbase.

It will only get worse if Mozilla gets worse at addressing problems.

(4 replies) #2 Lt-DavidW on 03 Jul 2008 - 13:35

2.x is obsolete. If you want to fix this bug, simply upgrade.

#2.1 markjensen on 03 Jul 2008 - 14:05

That is a poor attitude (btw, I have been on 3 since late beta). But no other group of developers shows that awful opinion to legacy products when it comes to security. Microsoft issues security updates to older versions, even when the newer version is out. Red Hat does. Ubuntu does. Apple does (I think, but I haven't personally verified by checking each unsorted secunia advisory).

Firefox 2.x just recently became "obsolete", but where the hell were the patches and maintainers for the past year? Oh yeah, mostly on 3.x.

I use Firefox almost exclusively (konqueror and epiphany on more rare occasions), but I am not happy with their recent reduction in apparent effort in maintenance.

#2.2 GreyWolfSC on 03 Jul 2008 - 14:51

(Lt-DavidW said @ #2)

2.x is obsolete. If you want to fix this bug, simply upgrade.

I will as soon as the real version 3 comes out, not the alpha one they released. Anyway, they already fixed this bug. I got an update yesterday with this remote-code bug listed in the changelog.

However, users are only susceptible to exploitation if they're running versions prior to 2.0.0.15, the advisory warned.

#2.3 markjensen on 03 Jul 2008 - 15:39

(GreyWolfSC said @ #2.2)

... Anyway, they already fixed this bug. I got an update yesterday with this remote-code bug listed in the changelog.

However, users are only susceptible to exploitation if they're running versions prior to 2.0.0.15, the advisory warned.

Ah, this is acceptable to me. I might have been confusing this particular issue with the several others that are known and open. In fact, once they get the recent "high" severity item closed, they will be back to an overall "low" severity rating on Secunia.

Thanks for pointing that out, as this isn't something for me to get on my rant box, like I thought it was.

Maybe switching to decaf would be a good idea for me.

#2.4 +mrbester on 04 Jul 2008 - 10:46

However, users are only susceptible to exploitation if they're running versions prior to 2.0.0.15, the advisory warned.

Huh. I updated to 2.0.0.15 yesterday (auto-update) and on start-up this morning I found that my settings had gone. All of them. This includes the settings for the gazillion extensions I've got installed. All of them.

#3 Jeremy of Many on 03 Jul 2008 - 17:01

Uh, then update to version 3?

(1 reply) #4 Cryton on 04 Jul 2008 - 12:25

2.0 is not obsolete.. it will receive continuing updates until december 2008

#4.1 Jeremy of Many on 04 Jul 2008 - 16:45

(Cryton said @ #4)

2.0 is not obsolete.. it will receive continuing updates until december 2008

3.0 is a lot faster than 2.0 so it is pointless to continue using 2.0.

(2 replies) #5 obsolete_power on 05 Jul 2008 - 03:18

2.0 has memory leaks and is slower than 3.0. I see no reason for anyone to still be using 2.0....does it really take that long to upgrade? There is absolutely no excuse for still using 2.0.

#5.1 night_stalker_z on 05 Jul 2008 - 13:56

I have to completely agree with that. The only thing that might make people stay with 2.0 are certain extensions which aren't updated as well as certain sites like hotmail.

#5.2 SakuraKira on 05 Jul 2008 - 16:19

Some people act like they can't use the browser at all without their extensions. Though I guess I really shouldn't say anything, as I use no extensions and have no basis for comparison. I've never really understood not upgrading to major versions, I've noticed the same behavior with Windows Service packs.

@+GreyWolfSC: How is Firefox 3 still an "Alpha"?

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)

Neowin.net

Critical Flaws Open Up Firefox 2.0x To Attack

Share this Article

About the Author

Related news