Mozilla states that despite what several media outlets and security organizations reported over the weekend, it is not an exploitable vulnerability that could lead to malicious code execution, so it is not a critical flaw.
Continue reading Mozilla confirms new crash bug in Firefox 3.5.1 not exploitable
Mozilla has confirmed a critical security vulnerability disclosed yesterday by Milworm, that may lead to remote code execution.
- Enter about:config in the location bar to access advanced preferences.
Mozilla reports that they are already working on a fix for the flaw and it will be released as soon as it becomes available.
It turned out Mozilla only needed a couple of days to release the needed fixes for a couple of security vulnerabilities disclosed in the last few days. One uncovered last week during the CanSecWest Pwn2Own contest; the other published a couple of days ago by an Italian hacker.
While Firefox 3.0.8 fixes only these two critical security bugs, another was already on schedule for release on mid-April. I think this release may delay Firefox 3.0.9 release a bit, but should still come out in April.
To update, in the Help menu, select Check For Updates… and follow the onscreen instructions if you are not automatically prompted before that.
Guido Landi, an Italian hacker, has disclosed the details of a previously unknown crashing bug including a proof of concept consisting ofÂ XML and XSL files that are loaded in an internal frame resulting in a Firefox 3.0.7 crash on all platforms.
There is no known exploit at this time, but since it has already been disclosed, Mozilla has decided to release the next Firefox update, 3.0.8, next week, about a week ahead of the targeted mid-April.
The bug does not affect the latest Firefox 3.5 nightlies and results in an expected XML parsing error.
The same day Firefox 3 was shipping, Tipping Point, a research organization for vulnerability analysis and discovery,Â released an upcoming advisory (ZDI-CAN-349) about a new security vulnerability that could allow an attacker to execute arbitrary code, affecting Firefox 2 and 3 in their Zero Day Initiative site.
Continue reading Mozilla already working on a Firefox 3 security fix