FIREFOX 3.0 and lower vulnerability

MEB · Jun 19, 2008

Code execution vulnerability found in Firefox 3.0

Ryan Naraine: Just hours after the official release of the
latest refresh of Mozilla's flagship browser, an unnamed researcher has sold
a critical code execution vulnerability that puts millions of Firefox3.0
users at risk of PC takeover attacks.

http://blogs.zdnet.com/security/?p=1288

--
MEB
http://peoplescounsel.orgfree.com
--
_________

Gary S. Terhune · Jun 19, 2008

So much for all those people who claim IE must be removed and replaced with
something else, Firefox being the most frequently mentioned.

How long do you think it will take to fix it?

--
Gary S. Terhune
MS-MVP Shell/User
http://grystmill.com

"MEB" <meb@not here@hotmail.com> wrote in message
news:%234bxhlj0IHA.2188@TK2MSFTNGP04.phx.gbl...
>
> Code execution vulnerability found in Firefox 3.0
>
> Ryan Naraine: Just hours after the official release of the
> latest refresh of Mozilla's flagship browser, an unnamed researcher has
> sold
> a critical code execution vulnerability that puts millions of Firefox3.0
> users at risk of PC takeover attacks.
>
> http://blogs.zdnet.com/security/?p=1288
>
> --
> MEB
> http://peoplescounsel.orgfree.com
> --
> _________
>
>

Julie · Jun 19, 2008

What does this have to do with Windows 98. Firefox 3.0 is incompatible with
Win98.

"MEB" <meb@not here@hotmail.com> wrote in message
news:%234bxhlj0IHA.2188@TK2MSFTNGP04.phx.gbl...
>
> Code execution vulnerability found in Firefox 3.0
>
> Ryan Naraine: Just hours after the official release of the
> latest refresh of Mozilla's flagship browser, an unnamed researcher has
sold
> a critical code execution vulnerability that puts millions of Firefox3.0
> users at risk of PC takeover attacks.
>
> http://blogs.zdnet.com/security/?p=1288
>
> --
> MEB
> http://peoplescounsel.orgfree.com
> --
> _________
>
>

Gary S. Terhune · Jun 19, 2008

While you have a legitimate point, think of it as part of an ongoing
discussion about various OSes and their comparative "vulnerabilities".
Whenever someone posts a problem with IE or OE it's a good bet that someone
will slam them for even using those apps, saying they should use Thunderbird
or Firefox (or whatever), instead, because these latter are so totally safe
from intrusion. Or they go even further and claim that Windows is a disaster
due to so many vulnerabilities, and some other OS should be used instead,
ignoring the fact that if their recommendation owned 80% to 90% of the
market, it would be considered just as bad as Windows is now considered.

Likewise, MEB recently posted two CERTs exposing vulnerabilities in the
latest QuickTime and SNMPv3, neither of which are MS products but both of
which are serious problems for Windows users in general. My response was
that of course EVERY bit of software potentially contains code which makes
it vulnerable to attack in some way, and for that reason, every sane person
should throw away their computers and all computer-based items immediately
(which means nearly every appliance in a modern person's panoply -- cell
phone, Blackberries, I-whatevers), and stop using things like banks and any
other critical service that uses computers

I was being facetious, of course...I think... My point is that you don't
totally outlaw automobiles and return to the slow-poke age of horsecrap
everywhere, just because a relatively few people get hurt or killed every
year, even when they're driving the most modern automobile available. It's a
baby & bathwater kind of thing.

The tie-in to Windows 9x is that more and more companies are no longer
supporting 9x in any way, and IF you're really worried about all that stuff,
you should definitely quit using 9x altogether. Personally, some standard
layers of anti-malware protection and sensible habits, plus the fact that in
most cases the problem is fixed before the public (including the bad guys)
even know there is one, make nearly all those vulnerabilities irrelevant,
even if they remain unpatched. (Just as an added comment, this is why
auto-updaters, or at least some very in-your-face and timely update
notifications, ARE so important. Problem is, you can't run them on Windows
9x because they suck up the puny Resources 9x is cursed with.) The real
problem for Win98 users will be when there are no longer any AV or other
anti-malware or firewall apps that work on them.

--
Gary S. Terhune
MS-MVP Shell/User
http://grystmill.com

"Julie" <julieb@bellsouth.net> wrote in message
news:%23knLZtk0IHA.2408@TK2MSFTNGP04.phx.gbl...
> What does this have to do with Windows 98. Firefox 3.0 is incompatible
> with
> Win98.
>
>
> "MEB" <meb@not here@hotmail.com> wrote in message
> news:%234bxhlj0IHA.2188@TK2MSFTNGP04.phx.gbl...
>>
>> Code execution vulnerability found in Firefox 3.0
>>
>> Ryan Naraine: Just hours after the official release of the
>> latest refresh of Mozilla's flagship browser, an unnamed researcher has
> sold
>> a critical code execution vulnerability that puts millions of Firefox3.0
>> users at risk of PC takeover attacks.
>>
>> http://blogs.zdnet.com/security/?p=1288
>>
>> --
>> MEB
>> http://peoplescounsel.orgfree.com
>> --
>> _________
>>
>>
>
>

MEB · Jun 19, 2008

In part, Gary has responded however, the point you apparently missed is
that this vulnerability IS present in prior versions, the party who
discovered and documented the vulnerability waited until the 3.0 version to
*cash in* [get paid for the discovery]. So likely, any Firefox 2.+ version
also contains this vulnerability.. whether it will be patched in those
versions is unknown.
NOTE that it says *and lower* in the heading.

--
MEB
http://peoplescounsel.orgfree.com
--
_________

"Julie" <julieb@bellsouth.net> wrote in message
news:%23knLZtk0IHA.2408@TK2MSFTNGP04.phx.gbl...
| What does this have to do with Windows 98. Firefox 3.0 is incompatible
with
| Win98.
|
|
| "MEB" <meb@not here@hotmail.com> wrote in message
| news:%234bxhlj0IHA.2188@TK2MSFTNGP04.phx.gbl...
| >
| > Code execution vulnerability found in Firefox 3.0
| >
| > Ryan Naraine: Just hours after the official release of the
| > latest refresh of Mozilla's flagship browser, an unnamed researcher has
| sold
| > a critical code execution vulnerability that puts millions of Firefox3.0
| > users at risk of PC takeover attacks.
| >
| > http://blogs.zdnet.com/security/?p=1288
| >
| > --
| > MEB
| > http://peoplescounsel.orgfree.com
| > --
| > _________
| >
| >
|
|

Jim · Jun 19, 2008

Isn't FFv.x.x a shell technology that rides on top of windows explorer? If
the internet browser is vulnerable, what about explorer?

MEB · Jun 19, 2008

Not quite sure what the question relates too.. the code for Firefox is what
makes the vulnerability to attack, no vulnerability in the code, the attack
point doesn't exist.

--
MEB
http://peoplescounsel.orgfree.com
--
_________

"Jim" <invalid@example.invalid> wrote in message
news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
| Isn't FFv.x.x a shell technology that rides on top of windows explorer? If
| the internet browser is vulnerable, what about explorer?
|
|

Jim · Jun 19, 2008

If you look at MS Autoruns with MS entries showing and then not. You will
see that the software [*.dll] running the MSIE is Windows Explorer. The IE
is also just a shell.
"MEB" <meb@not here@hotmail.com> wrote in message
news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...
> Not quite sure what the question relates too.. the code for Firefox is
what
> makes the vulnerability to attack, no vulnerability in the code, the
attack
> point doesn't exist.
>
> --
> MEB
> http://peoplescounsel.orgfree.com
> --
> _________
>
> "Jim" <invalid@example.invalid> wrote in message
> news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
> | Isn't FFv.x.x a shell technology that rides on top of windows explorer?
If
> | the internet browser is vulnerable, what about explorer?
> |
> |
>
>

Gary S. Terhune · Jun 19, 2008

Thought I'd toss in that IE is not just a browser but is also the shell for
HTML Help and an increasing number of Windows applications' GUIs.

--
Gary S. Terhune
MS-MVP Shell/User
http://grystmill.com

"Jim" <invalid@example.invalid> wrote in message
news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...
> If you look at MS Autoruns with MS entries showing and then not. You will
> see that the software [*.dll] running the MSIE is Windows Explorer. The IE
> is also just a shell.
> "MEB" <meb@not here@hotmail.com> wrote in message
> news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...
>> Not quite sure what the question relates too.. the code for Firefox is
> what
>> makes the vulnerability to attack, no vulnerability in the code, the
> attack
>> point doesn't exist.
>>
>> --
>> MEB
>> http://peoplescounsel.orgfree.com
>> --
>> _________
>>
>> "Jim" <invalid@example.invalid> wrote in message
>> news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
>> | Isn't FFv.x.x a shell technology that rides on top of windows explorer?
> If
>> | the internet browser is vulnerable, what about explorer?
>> |
>> |
>>
>>
>
>

MEB · Jun 20, 2008

Ah, okay, but then you do understand that Explorer is the graphical
interface to {most} of Windows GUI aspects. I see your point though.
Try using Dependency Walker on IExplore, C:\Program Files\Mozilla
Firefox\firefox.exe, and a few other programs. Profile them ...
If your feeling like you want the *big picture*, run filemon and/or regmon
while you do this activity... after you run through those, open some of your
favorite programs also while running filemon/regmon..

So that still doesn't explain your original question. The code error is in
Firefox, the vulnerability is fixed if/when that code is fixed. IS Explorer
vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the unfixed
Firefox running which supplies/provides the vulnerability.

--
MEB
http://peoplescounsel.orgfree.com
--
_________

"Jim" <invalid@example.invalid> wrote in message
news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...
| If you look at MS Autoruns with MS entries showing and then not. You will
| see that the software [*.dll] running the MSIE is Windows Explorer. The IE
| is also just a shell.
| "MEB" <meb@not here@hotmail.com> wrote in message
| news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...
| > Not quite sure what the question relates too.. the code for Firefox is
| what
| > makes the vulnerability to attack, no vulnerability in the code, the
| attack
| > point doesn't exist.
| >
| > --
| > MEB
| > http://peoplescounsel.orgfree.com
| > --
| > _________
| >
| > "Jim" <invalid@example.invalid> wrote in message
| > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
| > | Isn't FFv.x.x a shell technology that rides on top of windows
explorer?
| If
| > | the internet browser is vulnerable, what about explorer?
| > |
| > |
| >
| >
|
|

Jim · Jun 20, 2008

Yes. This is because we all are working online almost all the time and in my
configuration I am always online from network bootup. Basically, working
like xp with a win98se OS and not as much system resources...but with BB and
smart choices of running services, ha! I am doing better than most with
xp...willard hates me... [see willard crash on win98 on youtube].
"Gary S. Terhune" <none> wrote in message
news:%23J8fAgo0IHA.2188@TK2MSFTNGP04.phx.gbl...
> Thought I'd toss in that IE is not just a browser but is also the shell
for
> HTML Help and an increasing number of Windows applications' GUIs.
>
> --
> Gary S. Terhune
> MS-MVP Shell/User
> http://grystmill.com
>
> "Jim" <invalid@example.invalid> wrote in message
> news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...
> > If you look at MS Autoruns with MS entries showing and then not. You
will
> > see that the software [*.dll] running the MSIE is Windows Explorer. The
IE
> > is also just a shell.
> > "MEB" <meb@not here@hotmail.com> wrote in message
> > news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...
> >> Not quite sure what the question relates too.. the code for Firefox is
> > what
> >> makes the vulnerability to attack, no vulnerability in the code, the
> > attack
> >> point doesn't exist.
> >>
> >> --
> >> MEB
> >> http://peoplescounsel.orgfree.com
> >> --
> >> _________
> >>
> >> "Jim" <invalid@example.invalid> wrote in message
> >> news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
> >> | Isn't FFv.x.x a shell technology that rides on top of windows
explorer?
> > If
> >> | the internet browser is vulnerable, what about explorer?
> >> |
> >> |
> >>
> >>
> >
> >
>
>

Gary S. Terhune · Jun 20, 2008

You know, I can't make much sense out of what you wrote. What does my
addendum above have to do with always being online? What's "BB"? And what
makes you think that you're doing better than "most" people who use XP?
That's pure BS. Typical false logic of comparing your obsessively tuned but
obsolete OS with one that is a powerhouse and runs much better than 9x if
properly managed. In fact, XP is much better idiot-proofed than 9x, so I'd
say you must be comparing yourself to particularly stupid crowd of idiots if
they're having more trouble with WinXP than you are with 9x.

Why is it that 9x enthusiasts insist on comparing themselves to incompetent
idiots? Because that's the only way they can win the argument, perhaps?

--
Gary S. Terhune
MS-MVP Shell/User
http://grystmill.com

"Jim" <invalid@example.invalid> wrote in message
news:u6AQQEu0IHA.3920@TK2MSFTNGP02.phx.gbl...
> Yes. This is because we all are working online almost all the time and in
> my
> configuration I am always online from network bootup. Basically, working
> like xp with a win98se OS and not as much system resources...but with BB
> and
> smart choices of running services, ha! I am doing better than most with
> xp...willard hates me... [see willard crash on win98 on youtube].
> "Gary S. Terhune" <none> wrote in message
> news:%23J8fAgo0IHA.2188@TK2MSFTNGP04.phx.gbl...
>> Thought I'd toss in that IE is not just a browser but is also the shell
> for
>> HTML Help and an increasing number of Windows applications' GUIs.
>>
>> --
>> Gary S. Terhune
>> MS-MVP Shell/User
>> http://grystmill.com
>>
>> "Jim" <invalid@example.invalid> wrote in message
>> news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...
>> > If you look at MS Autoruns with MS entries showing and then not. You
> will
>> > see that the software [*.dll] running the MSIE is Windows Explorer. The
> IE
>> > is also just a shell.
>> > "MEB" <meb@not here@hotmail.com> wrote in message
>> > news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...
>> >> Not quite sure what the question relates too.. the code for Firefox is
>> > what
>> >> makes the vulnerability to attack, no vulnerability in the code, the
>> > attack
>> >> point doesn't exist.
>> >>
>> >> --
>> >> MEB
>> >> http://peoplescounsel.orgfree.com
>> >> --
>> >> _________
>> >>
>> >> "Jim" <invalid@example.invalid> wrote in message
>> >> news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
>> >> | Isn't FFv.x.x a shell technology that rides on top of windows
> explorer?
>> > If
>> >> | the internet browser is vulnerable, what about explorer?
>> >> |
>> >> |
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Dan · Jun 21, 2008

Here is some information about the vulnerability from secunia ---

http://secunia.com/advisories/30761/

Currently, Firefox users are looking at a July 1, 2008

http://wiki.mozilla.org/Releases/Firefox_2.0.0.15

"MEB" wrote:

> Ah, okay, but then you do understand that Explorer is the graphical
> interface to {most} of Windows GUI aspects. I see your point though.
> Try using Dependency Walker on IExplore, C:\Program Files\Mozilla
> Firefox\firefox.exe, and a few other programs. Profile them ...
> If your feeling like you want the *big picture*, run filemon and/or regmon
> while you do this activity... after you run through those, open some of your
> favorite programs also while running filemon/regmon..
>
> So that still doesn't explain your original question. The code error is in
> Firefox, the vulnerability is fixed if/when that code is fixed. IS Explorer
> vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the unfixed
> Firefox running which supplies/provides the vulnerability.
>
> --
> MEB
> http://peoplescounsel.orgfree.com
> --
> _________
>
>
> "Jim" <invalid@example.invalid> wrote in message
> news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...
> | If you look at MS Autoruns with MS entries showing and then not. You will
> | see that the software [*.dll] running the MSIE is Windows Explorer. The IE
> | is also just a shell.
> | "MEB" <meb@not here@hotmail.com> wrote in message
> | news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...
> | > Not quite sure what the question relates too.. the code for Firefox is
> | what
> | > makes the vulnerability to attack, no vulnerability in the code, the
> | attack
> | > point doesn't exist.
> | >
> | > --
> | > MEB
> | > http://peoplescounsel.orgfree.com
> | > --
> | > _________
> | >
> | > "Jim" <invalid@example.invalid> wrote in message
> | > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
> | > | Isn't FFv.x.x a shell technology that rides on top of windows
> explorer?
> | If
> | > | the internet browser is vulnerable, what about explorer?
> | > |
> | > |
> | >
> | >
> |
> |
>
>
>

MEB · Jun 21, 2008

Thanks for the links, but is that version FREE of the vulnerability to your
knowledge?

--
MEB
http://peoplescounsel.orgfree.com
--
_________

"Dan" <Dan@discussions.microsoft.com> wrote in message
news

CA38CC2-D287-4521-B8C4-AF1B7BEFA2F8@microsoft.com...
| Here is some information about the vulnerability from secunia ---
|
| http://secunia.com/advisories/30761/
|
| Currently, Firefox users are looking at a July 1, 2008
|
| http://wiki.mozilla.org/Releases/Firefox_2.0.0.15
|
| "MEB" wrote:
|
| > Ah, okay, but then you do understand that Explorer is the graphical
| > interface to {most} of Windows GUI aspects. I see your point though.
| > Try using Dependency Walker on IExplore, C:\Program Files\Mozilla
| > Firefox\firefox.exe, and a few other programs. Profile them ...
| > If your feeling like you want the *big picture*, run filemon and/or
regmon
| > while you do this activity... after you run through those, open some of
your
| > favorite programs also while running filemon/regmon..
| >
| > So that still doesn't explain your original question. The code error is
in
| > Firefox, the vulnerability is fixed if/when that code is fixed. IS
Explorer
| > vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the unfixed
| > Firefox running which supplies/provides the vulnerability.
| >
| > --
| > MEB
| > http://peoplescounsel.orgfree.com
| > --
| > _________
| >
| >
| > "Jim" <invalid@example.invalid> wrote in message
| > news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...
| > | If you look at MS Autoruns with MS entries showing and then not. You
will
| > | see that the software [*.dll] running the MSIE is Windows Explorer.
The IE
| > | is also just a shell.
| > | "MEB" <meb@not here@hotmail.com> wrote in message
| > | news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...
| > | > Not quite sure what the question relates too.. the code for Firefox
is
| > | what
| > | > makes the vulnerability to attack, no vulnerability in the code, the
| > | attack
| > | > point doesn't exist.
| > | >
| > | > --
| > | > MEB
| > | > http://peoplescounsel.orgfree.com
| > | > --
| > | > _________
| > | >
| > | > "Jim" <invalid@example.invalid> wrote in message
| > | > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
| > | > | Isn't FFv.x.x a shell technology that rides on top of windows
| > explorer?
| > | If
| > | > | the internet browser is vulnerable, what about explorer?
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
| >

Dan · Jun 21, 2008

The new updated version has not been released yet and I think it should be
free from the vulnerability because Mozilla pushed the release date back a
few days and my guess is that the reason was because of this vulnerability.
The big problem is that Mozilla Firefox has this highly critical
vulnerability and it appears the new version of Opera is problematic for some
users so that leaves Internet Explorer or some other lesser known browser for
users to more safely use. I would caution users to be careful what browsers
they download because there are always people out there that will try and
take advantage of the situation and have browsers that do not work well or
worse are spyware or malware infested.

"MEB" wrote:

> Thanks for the links, but is that version FREE of the vulnerability to your
> knowledge?
>
> --
> MEB
> http://peoplescounsel.orgfree.com
> --
> _________
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news

CA38CC2-D287-4521-B8C4-AF1B7BEFA2F8@microsoft.com...
> | Here is some information about the vulnerability from secunia ---
> |
> | http://secunia.com/advisories/30761/
> |
> | Currently, Firefox users are looking at a July 1, 2008
> |
> | http://wiki.mozilla.org/Releases/Firefox_2.0.0.15
> |
> | "MEB" wrote:
> |
> | > Ah, okay, but then you do understand that Explorer is the graphical
> | > interface to {most} of Windows GUI aspects. I see your point though.
> | > Try using Dependency Walker on IExplore, C:\Program Files\Mozilla
> | > Firefox\firefox.exe, and a few other programs. Profile them ...
> | > If your feeling like you want the *big picture*, run filemon and/or
> regmon
> | > while you do this activity... after you run through those, open some of
> your
> | > favorite programs also while running filemon/regmon..
> | >
> | > So that still doesn't explain your original question. The code error is
> in
> | > Firefox, the vulnerability is fixed if/when that code is fixed. IS
> Explorer
> | > vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the unfixed
> | > Firefox running which supplies/provides the vulnerability.
> | >
> | > --
> | > MEB
> | > http://peoplescounsel.orgfree.com
> | > --
> | > _________
> | >
> | >
> | > "Jim" <invalid@example.invalid> wrote in message
> | > news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...
> | > | If you look at MS Autoruns with MS entries showing and then not. You
> will
> | > | see that the software [*.dll] running the MSIE is Windows Explorer.
> The IE
> | > | is also just a shell.
> | > | "MEB" <meb@not here@hotmail.com> wrote in message
> | > | news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...
> | > | > Not quite sure what the question relates too.. the code for Firefox
> is
> | > | what
> | > | > makes the vulnerability to attack, no vulnerability in the code, the
> | > | attack
> | > | > point doesn't exist.
> | > | >
> | > | > --
> | > | > MEB
> | > | > http://peoplescounsel.orgfree.com
> | > | > --
> | > | > _________
> | > | >
> | > | > "Jim" <invalid@example.invalid> wrote in message
> | > | > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
> | > | > | Isn't FFv.x.x a shell technology that rides on top of windows
> | > explorer?
> | > | If
> | > | > | the internet browser is vulnerable, what about explorer?
> | > | > |
> | > | > |
> | > | >
> | > | >
> | > |
> | > |
> | >
> | >
> | >
>
>
>

MEB · Jun 21, 2008

Thanks Dan, keep us posted on the outcome...

--
MEB
http://peoplescounsel.orgfree.com
--
_________

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:C241B07A-73CB-402C-803E-216C4FC7C4C7@microsoft.com...
| The new updated version has not been released yet and I think it should be
| free from the vulnerability because Mozilla pushed the release date back a
| few days and my guess is that the reason was because of this
vulnerability.
| The big problem is that Mozilla Firefox has this highly critical
| vulnerability and it appears the new version of Opera is problematic for
some
| users so that leaves Internet Explorer or some other lesser known browser
for
| users to more safely use. I would caution users to be careful what
browsers
| they download because there are always people out there that will try and
| take advantage of the situation and have browsers that do not work well or
| worse are spyware or malware infested.
|
|
| "MEB" wrote:
|
| > Thanks for the links, but is that version FREE of the vulnerability to
your
| > knowledge?
| >
| > --
| > MEB
| > http://peoplescounsel.orgfree.com
| > --
| > _________
| >
| > "Dan" <Dan@discussions.microsoft.com> wrote in message
| > news

CA38CC2-D287-4521-B8C4-AF1B7BEFA2F8@microsoft.com...
| > | Here is some information about the vulnerability from secunia ---
| > |
| > | http://secunia.com/advisories/30761/
| > |
| > | Currently, Firefox users are looking at a July 1, 2008
| > |
| > | http://wiki.mozilla.org/Releases/Firefox_2.0.0.15
| > |
| > | "MEB" wrote:
| > |
| > | > Ah, okay, but then you do understand that Explorer is the graphical
| > | > interface to {most} of Windows GUI aspects. I see your point though.
| > | > Try using Dependency Walker on IExplore, C:\Program Files\Mozilla
| > | > Firefox\firefox.exe, and a few other programs. Profile them ...
| > | > If your feeling like you want the *big picture*, run filemon and/or
| > regmon
| > | > while you do this activity... after you run through those, open some
of
| > your
| > | > favorite programs also while running filemon/regmon..
| > | >
| > | > So that still doesn't explain your original question. The code
error is
| > in
| > | > Firefox, the vulnerability is fixed if/when that code is fixed. IS
| > Explorer
| > | > vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the
unfixed
| > | > Firefox running which supplies/provides the vulnerability.
| > | >
| > | > --
| > | > MEB
| > | > http://peoplescounsel.orgfree.com
| > | > --
| > | > _________
| > | >
| > | >
| > | > "Jim" <invalid@example.invalid> wrote in message
| > | > news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...
| > | > | If you look at MS Autoruns with MS entries showing and then not.
You
| > will
| > | > | see that the software [*.dll] running the MSIE is Windows
Explorer.
| > The IE
| > | > | is also just a shell.
| > | > | "MEB" <meb@not here@hotmail.com> wrote in message
| > | > | news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...
| > | > | > Not quite sure what the question relates too.. the code for
Firefox
| > is
| > | > | what
| > | > | > makes the vulnerability to attack, no vulnerability in the code,
the
| > | > | attack
| > | > | > point doesn't exist.
| > | > | >
| > | > | > --
| > | > | > MEB
| > | > | > http://peoplescounsel.orgfree.com
| > | > | > --
| > | > | > _________
| > | > | >
| > | > | > "Jim" <invalid@example.invalid> wrote in message
| > | > | > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
| > | > | > | Isn't FFv.x.x a shell technology that rides on top of windows
| > | > explorer?
| > | > | If
| > | > | > | the internet browser is vulnerable, what about explorer?
| > | > | > |
| > | > | > |
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > | >
| >
| >
| >

Dan · Jun 21, 2008

Your welcome. I will let you know anything more that I find out about the
vulnerability affecting Mozilla Firefox.

"MEB" wrote:

> Thanks Dan, keep us posted on the outcome...
>
> --
> MEB
> http://peoplescounsel.orgfree.com
> --
> _________
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:C241B07A-73CB-402C-803E-216C4FC7C4C7@microsoft.com...
> | The new updated version has not been released yet and I think it should be
> | free from the vulnerability because Mozilla pushed the release date back a
> | few days and my guess is that the reason was because of this
> vulnerability.
> | The big problem is that Mozilla Firefox has this highly critical
> | vulnerability and it appears the new version of Opera is problematic for
> some
> | users so that leaves Internet Explorer or some other lesser known browser
> for
> | users to more safely use. I would caution users to be careful what
> browsers
> | they download because there are always people out there that will try and
> | take advantage of the situation and have browsers that do not work well or
> | worse are spyware or malware infested.
> |
> |
> | "MEB" wrote:
> |
> | > Thanks for the links, but is that version FREE of the vulnerability to
> your
> | > knowledge?
> | >
> | > --
> | > MEB
> | > http://peoplescounsel.orgfree.com
> | > --
> | > _________
> | >
> | > "Dan" <Dan@discussions.microsoft.com> wrote in message
> | > news

CA38CC2-D287-4521-B8C4-AF1B7BEFA2F8@microsoft.com...
> | > | Here is some information about the vulnerability from secunia ---
> | > |
> | > | http://secunia.com/advisories/30761/
> | > |
> | > | Currently, Firefox users are looking at a July 1, 2008
> | > |
> | > | http://wiki.mozilla.org/Releases/Firefox_2.0.0.15
> | > |
> | > | "MEB" wrote:
> | > |
> | > | > Ah, okay, but then you do understand that Explorer is the graphical
> | > | > interface to {most} of Windows GUI aspects. I see your point though.
> | > | > Try using Dependency Walker on IExplore, C:\Program Files\Mozilla
> | > | > Firefox\firefox.exe, and a few other programs. Profile them ...
> | > | > If your feeling like you want the *big picture*, run filemon and/or
> | > regmon
> | > | > while you do this activity... after you run through those, open some
> of
> | > your
> | > | > favorite programs also while running filemon/regmon..
> | > | >
> | > | > So that still doesn't explain your original question. The code
> error is
> | > in
> | > | > Firefox, the vulnerability is fixed if/when that code is fixed. IS
> | > Explorer
> | > | > vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the
> unfixed
> | > | > Firefox running which supplies/provides the vulnerability.
> | > | >
> | > | > --
> | > | > MEB
> | > | > http://peoplescounsel.orgfree.com
> | > | > --
> | > | > _________
> | > | >
> | > | >
> | > | > "Jim" <invalid@example.invalid> wrote in message
> | > | > news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...
> | > | > | If you look at MS Autoruns with MS entries showing and then not.
> You
> | > will
> | > | > | see that the software [*.dll] running the MSIE is Windows
> Explorer.
> | > The IE
> | > | > | is also just a shell.
> | > | > | "MEB" <meb@not here@hotmail.com> wrote in message
> | > | > | news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...
> | > | > | > Not quite sure what the question relates too.. the code for
> Firefox
> | > is
> | > | > | what
> | > | > | > makes the vulnerability to attack, no vulnerability in the code,
> the
> | > | > | attack
> | > | > | > point doesn't exist.
> | > | > | >
> | > | > | > --
> | > | > | > MEB
> | > | > | > http://peoplescounsel.orgfree.com
> | > | > | > --
> | > | > | > _________
> | > | > | >
> | > | > | > "Jim" <invalid@example.invalid> wrote in message
> | > | > | > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...
> | > | > | > | Isn't FFv.x.x a shell technology that rides on top of windows
> | > | > explorer?
> | > | > | If
> | > | > | > | the internet browser is vulnerable, what about explorer?
> | > | > | > |
> | > | > | > |
> | > | > | >
> | > | > | >
> | > | > |
> | > | > |
> | > | >
> | > | >
> | > | >
> | >
> | >
> | >
>
>
>

Dan · Jun 24, 2008

There is not much new information on the vulnerability yet but this might be
of interest to you and others from us-cert.

http://www.us-cert.gov/cas/bulletins/SB08-175.html

<this page includes the weeks' vulnerabilities that include the Mozilla
Firefox vulnerability>

Mozilla -- Firefox

Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack
vectors. NOTE: due to lack of details as of 20080619, it is not clear whether
this is the same issue as CVE-2008-2785. A CVE identifier has been assigned
for tracking purposes.
unknown
2008-06-19
10.0
CVE-2008-2786
FULLDISC
BID

<feel free to browse the page but unfortunately no new information yet>

"MEB" wrote:

> Thanks Dan, keep us posted on the outcome...

<snipped due to length>

MEB · Jun 24, 2008

Again, thanks Dan, continue to keep us informed.

--
MEB
http://peoplescounsel.orgfree.com
--
_________

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:2DD538BB-EA02-4E68-A625-555BD2330C50@microsoft.com...
| There is not much new information on the vulnerability yet but this might
be
| of interest to you and others from us-cert.
|
| http://www.us-cert.gov/cas/bulletins/SB08-175.html
|
| <this page includes the weeks' vulnerabilities that include the Mozilla
| Firefox vulnerability>
|
| Mozilla -- Firefox
|
| Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack
| vectors. NOTE: due to lack of details as of 20080619, it is not clear
whether
| this is the same issue as CVE-2008-2785. A CVE identifier has been
assigned
| for tracking purposes.
| unknown
| 2008-06-19
| 10.0
| CVE-2008-2786
| FULLDISC
| BID
|
| <feel free to browse the page but unfortunately no new information yet>
|
| "MEB" wrote:
|
| > Thanks Dan, keep us posted on the outcome...
|
| <snipped due to length>

Dan · Jun 28, 2008

<snipped due to length>

The final release date now is July 2, 2008. I know many of want the patched
version now but we must be patient for it to be released and also to be fully
stable. I am guessing it may now even be pushed back again to July 3, 2008
due to the complexities of implementing this patch for this unknown
vulnerability.

FIREFOX 3.0 and lower vulnerability

MEB

Gary S. Terhune

Julie

Gary S. Terhune

MEB

Jim

MEB

Jim

Gary S. Terhune

MEB

Jim

Gary S. Terhune

Dan

MEB

Dan

MEB

Dan

Dan

MEB

Dan

Similar threads