Unsolved
This post is more than 5 years old
3 Apprentice
•
20.5K Posts
0
5784
Updates - December 9, 2010
This topic is for anyone who would like to discuss a specific update.
Feel free to post daily reminders of updates and version changes for some of the most popular security programs.
Free security programs are listed here: FREE SECURITY SOFTWARE 
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
December 9th, 2010 16:00
Firefox 3.6.13
Fixed in Firefox 3.6.13
MFSA 2010-84 XSS hazard in multiple character encodings
MFSA 2010-83 Location bar SSL spoofing using network error page
MFSA 2010-82 Incomplete fix for CVE-2010-0179
MFSA 2010-81 Integer overflow vulnerability in NewIdArray
MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh
MFSA 2010-78 Add support for OTS font sanitizer
MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
MFSA 2010-76 Chrome privilege escalation with window.open and
element
MFSA 2010-75 Buffer overflow while line breaking after document.write with long string
MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
December 10th, 2010 04:00
Here's additional (perhaps redundant) information on what the Firefox update has fixed, copied/pasted from http://secunia.com/advisories/42517
Description
A weakness and some [highly critical] vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, bypass certain security restrictions, and compromise a user's system.
1) Multiple errors in the browser engine can be exploited to corrupt memory and potentially execute arbitrary code.
2) An error when handling line breaks in overly long strings passed to "document.write()" can be exploited to read data from out-of-bounds memory location and potentially execute arbitrary code.
3) An error when opening a new window using "window.open()" can be exploited to execute arbitrary JavaScript code with chrome privileges via the "
" element.
4) An error in the handling of "
5) An error in the Java LiveConnect script when loaded via a "data:" URL can be exploited to e.g. read arbitrary files, launch arbitrary processes, and establish arbitrary network connections.
6) A use-after-free error in the "NodeIterator API" when handling a "nsDOMAttribute" node can be exploited to corrupt memory and execute arbitrary code.
7) An integer overflow when creating arrays can be exploited to corrupt memory and potentially execute arbitrary code.
8) An error related to the XMLHttpRequestSpy object can be exploited to execute arbitrary JavaScript code.
This is due to an incomplete fix for vulnerability #9 in:
SA37242
9) An error exists in the handling of documents with no inherent origin associated. This can be exploited to bypass the same-origin policy and spoof the URL of a trusted site by tricking users into opening site which result in e.g. about:config or about:neterror pages.
10) An error exists in the rendering engine when handling certain Mac charset encodings. This can be exploited to potentially execute arbitrary JavaScript code in the context of the destination website.
The weakness and the vulnerabilities are reported in versions prior to 3.6.13 and 3.5.16.
Solution
Update to version 3.6.13 or 3.5.16.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
December 10th, 2010 05:00
Concerning the urgency of this Firefox update:
This new version contains fixes for 11 security holes, nine of which have been given the worst rating of "critical" severity, as the vulnerabilities can be used to run malicious attack code and install software - the user has to do nothing to be hit in this way, just normal browsing is enough.
source: http://nakedsecurity.sophos.com/2010/12/10/firefox-receives-critical-security-fixes-update-now/