Mozilla issues fixes for Firefox, SeaMonkey Flaws

The Mozilla Foundation has published a fix for a "critical" JavaScript vulnerability in the Firefox browser and the SeaMonkey application suite. The fix, released Monday, targets Firefox versions 2.0.0.2 and 1.5.0.10, as well as SeaMonkey versions 1.1.1 and 1.0.8. An earlier fix for a JavaScript problem allowed scripts from Web content to execute arbitrary code, the Mozilla Foundation said in a security update.

The vulnerability allowed uniform resource identifiers, or URIs, in image tags to be executed even if JavaScript was disabled in the program preferences, Mozilla said. Disabling JavaScript does not protect against the flaw, so the foundation recommended that users upgrade the applications to new versions. Mozilla's Thunderbird e-mail client was not affected by the vulnerability, it said.

News source: PC World

Report a problem with article
Previous Story

Microsoft looks for better way to search the Net

Next Story

Nokia moving Into Nanotechnology

12 Comments

Commenting is disabled on this article.

theblazingangel said,
i'm confused, are we supposed to be expecting firefox v2.0.0.3 or what?

A quick 2.0.0.3 release is in the pipeline to fix some stupid regressions that 2.0.0.2 introduced.

Firefox 2.0.0.2 and 1.5.0.10 were releaed on Friday 23rd Feb 2007, not Monday [5th March]. However, Seamonkey 1.1.1 and 1.0.8 were released on Friday 2nd March 2007 (not Monday [5th March]) which is a bit closer.

Slimy said,
Where does it say those versions were released Monday? Oh right, it doesn't.

The fix, released Monday, targets Firefox versions 2.0.0.2 and 1.5.0.10

Did you even read the article?

Cryton said,

Did you even read the article?

nice of you to prove yourself wrong, the fix was released monday, not the firefox/seamonkey versions

dev said,
nice of you to prove yourself wrong, the fix was released monday, not the firefox/seamonkey versions

So, um, a fix was release Monday, nearly two weeks after 2.0.0.2 was released? Evidently there's something I don't understand, so if anyone can clear it up that'd be great.

edit: The article is basically bullplop and the author very confused. The

An earlier fix for a JavaScript problem allowed scripts from Web content to execute arbitrary code, the Mozilla Foundation said in a security update.

The vulnerability allowed uniform resource identifiers, or URIs, in image tags to be executed even if JavaScript was disabled in the program preferences, Mozilla said.

is referring to Mozilla Foundation Security Advisory 2006-72 (which was fixed in Fx 2.0.0.1, Fx 1.5.0.9 & SM 1.0,7).

This fix caused a regression:

  • #368655 [Core: DOM]-[FIX]Easy DoS by <img src="java script:for(;; );"> even if javascript disabled [All]
which is a DOS issue, and was fixed in Fx 2.0.0.2, Fx 1.5.0.10, SM 1.0.8 and 1.1.1. None of which were released on Monday.