Firefox Update v.1.0.1

[Karding]

February 28, 2005
New Firefox Vulnerability Pushes Latest Update
By Sean Michael Kerner

If you're a Mozilla Firefox user, there's another reason for you to update to the latest version of the upstart browser released last week.

Buried in the list of Firefox security updates is a critical heap overflow issue that hit the public disclosure lists officially just today.

Security firm iDefense issued a public advisory today titled, "Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design Error." The vulnerability could allow an attacker to execute arbitrary code and/or crash the browser.

According to iDefense's security disclosure timeline, the vulnerability was reported to the Mozilla Foundation on Feb. 9, and Mozilla responded that day. "Coordinated" public disclosure was supposed to occur today.

The vulnerability involves the remote exploitation of a "design error" that could potentially allow a malicious remote miscreant to trigger a heap (define) corruption.

According to the iDefense advisory, the vulnerability specifically exists in string-handling functions. The flaw involves the way those functions handle memory, which could potentially allow memory to be overwritten in a fixed location if, during string growth, memory reallocation fails.

According to Mozilla's advisory, creating the exact conditions for Exploitation -- including running out of memory at just the right moment -- is unlikely."

That said, iDefense's advisory notes that the two items required to execute the exploit -- knowing the browser version and being able to cause memory exhaustion -- are entirely plausible. The security firm wrote in its advisory that the memory exhaustion could be triggered by a JavaScript ("to allocate enough memory to trigger this vulnerability") or even compressed data.

According to iDefense, even a failed exploitation attempt could result in the browser crashing. A successful exploitation attempt would allow for arbitrary code execution with the same privileges of the logged-in user. Mozilla's update last week supposedly fixes the issue.

Firefox's security concerns come amid new reports of the open source browser's growing market share. According to Web analytics firm OneStat.com, Mozilla browsers, including Firefox, now command an 8.45 percent market share. This is up from November when its share was only 7.53 percent. Microsoft's Internet Explorer still dominates at 87.28 percent.

"It seems that global usage share of Mozilla's Firefox is still increasing, and the total global usage share of Microsoft's Internet Explorer is still decreasing," said Niels Brinkman, co-founder of OneStat.com, in a statement. "It looks like that browser users of Internet Explorer 5 are switching to Mozilla Firefox instead of upgrading to Internet Explorer 6.0."

Mozilla is performing a windows update automatically.
http://weblogs.mozillazine.org/asa/archives/007648.html

Windows Users Receiving Mozilla Firefox 1.0.1 via Software Update
Tuesday March 1st, 2005

Asa Dotzler writes: "Yesterday, we tried to launch update for Firefox 1.0 Windows users and ran into the problem that we were serving the Windows update to Mac and Linux users.

"Today, we've fixed the problem so that the Windows users of Firefox 1.0 will receive the update notification and the Windows update package and Mac and Linux users won't (which is the intended behavior since we don't have update ready for those platforms).

"We're rolling out this update to tens of millions of users and currently serving about twenty thousand update downloads per hour, so if you see any weirdness, please let us know and we'll look into it right away.

"For Mac and Linux users, please visit www.mozilla.org to get your 1.0.1 update."

If for some reason the update didnt download/install automatically on your Windows machine, click this link toDOWNLOAD NOW

Can you believe it? Even NASA is running Firefox now.

[ghosthunter]

My internet rental shop is now running 75% Foxfire browsers now. Its a blessing given those computers with foxfire don't get "infected" with adware and such.

[wrecker]

time to download this later

[pissword]

ok nga talaga ang firefox... masmarami pa gumagamit ng firefox kesa opera?

[prinsipe]

mas maganda pala ang Firefox as compared to IE.

[cyberdoc95]

I've downloaded FIREFOX since they began offering this browser and I've been using it ever since. This update yata is the answer of the problem I started to get about December 2004/January 2005 when the browser would suddenly crash...

But lately, ok naman siya!

[BlueBimmer]

i use opera primary browser then secondary firefox, da best combination!

[ssaloon]

panalo talaga mozilla. wala na ngang bugs with this latest version (so far).