Re: OT Firefox security leak: bogus or genuine?
David Burgess wrote:
> On Tue, 2005-05-10 at 18:47 -0400, [KS] wrote:
>
>
>>Here is the official security advisory link from mozilla.org
>>http://www.mozilla.org/security/announce/mfsa2005-42.html
>>
>>You should be fine as long as you haven't added any website to the
>>whitelist to install software except the official update website.
>>
>>/KS
>>
>
>
> Not so. From the "Workaround" section of the advisory:
>
> "4. Click the "Remove All Sites" button"
>
> The problem is that any site can install software as long as there is at
> least a single site on the whitelist. You are vulnerable until you clear
> the whitelist completely.
>
> dB
>
>
Ref: http://www.mozillazine.org/talkback.html?article=6590
"In a standard Firefox installation, only the Mozilla Update sites
(update.mozilla.org and addons.mozilla.org) are on the whitelist by
default. This has allowed the Mozilla Foundation to apply a server-side
change that prevents attackers from exploiting the code execution flaw
using its systems. Therefore, **if you have not added any additional
sites to the whitelist**, you are not at risk from the code execution
exploit and have not been since yesterday. However, you will still be
vulnerable to the less serious JavaScript injection flaw."
/KS
Reply to: