posted on May 10, 2005 05:20:46 AM new
All of a sudden today I an getting a warning about Firefox and eBaty non-compatability encryption - is anyone else getting this too? Is it horrible to navigate ebay without a secure signin?
-------------------------------------
posted on May 10, 2005 05:39:12 AM new
I get the same message this morning. BTW, there was more on the news yesterday about the flaw in Firefox:
Critical Flaw Found in Firefox
Matthew Broersma, Techworld.com
Firefox has unpatched "extremely critical" security holes and exploit code is already circulating on the Net, security researchers have warned.
The two unpatched flaws in the Mozilla browser could allow an attacker to take control of your system.
A patch is expected shortly, but in the meantime users can protect themselves by switching off JavaScript. In addition, the Mozilla Foundation has now made the flaws effectively impossible to exploit by changes to the server-side download mechanism on the update.mozilla.org and addons.mozilla.org sites, according to security experts.
The flaws were confidentially reported to the Foundation on May 2, but by Saturday details had been leaked and were reported by several security organizations, including the French Security Incident Response Team (FrSIRT). Danish security firm Secunia marked the exploit as "extremely critical", its most serious rating, the first time it has given a Firefox flaw this rating.
In recent months Firefox has gained significant market share from Microsoft's Internet Explorer, partly because it is considered less vulnerable to attacks. However, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser.
posted on May 10, 2005 06:14:22 AM new
Interestingly enough, I get the same message on eBay only when using Netscape after I closed Mozilla. No other site I've been to this morning with Mozilla had those messages.
Guess I'll take a hiatus with Firefox for the time being (but I've become so used to it that anything else seems cumbersome!)
posted on May 10, 2005 08:22:25 AM new
Go in to Tools, Options and Web Features. Uncheck Allow Web Sites to Install Software and the Java box. You should be okay. If you need the Java, temporarily enable it then disable it when you are done. I know it's a PIA, but FF is still better than IE. A long as you haven't added anything to your white list (click on Allowed Sites next to the Allow Web Sites. Your list will be there. The only two that should be there are both Mozilla sites. They are safe. If you have any other sites there, clear them.
posted on May 10, 2005 09:17:55 AM new
neglus I thought your typo was to say you were getting E-batty messages from firefox!! lol. I read through it so fast!
I had some trouble with that ad block thing (why oh why wont these people leave me alone?? ...grrr!) so uninstalled reinstalled -- still getting them, so I know something is leaking with them(firefox).
birgittaw: Firefox is built on the netscape browser.
posted on May 10, 2005 11:53:44 AM new
Cheryl-I havent been getting any messages or errors the others have been getting..so far.
I did what you said and unchecked Allow web sites to install software and also the Java box-theres also a java script box which I left checked-is that okay-also I know this is a stupid question,but what is the Java for anyway?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Baseball season has started,but they have it all wrong.3 strikes and you're out,4 balls you walk.I can tell you right now a man with 4 balls could not possibly walk
posted on May 10, 2005 12:26:42 PM new
Security Alerts & Announcements
Complete list of known vulnerabilities (in previous Mozilla product versions).
Security Advisory (May 8, 2005) The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7th. There are currently no known active exploits of these vulnerabilities although a "proof of concept" has been reported. Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves today by temporarily disabling JavaScript.
For more information about the vulnerabilities, see the advisory. Further information including the availability of updates will be posted at www.mozilla.org.
posted on May 10, 2005 12:35:43 PM new
Advisory
______________________________________________
Mozilla Foundation Security Advisory 2005-42
Title: Code execution via javascript: IconURL
Severity: Critical
Reporter: Paul (Greyhats)
Products: Firefox, Mozilla Suite
Description
Two vulnerabilities were found in Mozilla Firefox that combined allow an attacker to run arbitrary code. The Mozilla Suite is only partially vulnerable.
By causing a frame to navigate back to a previous javascript: url an attacker can inject script into any site. This could be used to steal cookies or sensitive data from that site, or to perform actions on behalf of that user. (Affects Firefox and the Suite).
A separate vulnerability in the Firefox install confirmation dialog allows an attacker to execute arbitrary code by using a javascript: URL as the package icon. By default only the Mozilla Foundation update site is allowed to bring up this dialog, but the script injection vulnerability described above enables this to be exploited from any malicious site.
The Mozilla Foundation has modified the update servers to prevent their use in this attack.
Workaround
The Mozilla Foundation has made changes to our update servers that will protect users from this arbitrary code execution exploit. Users who have added other extension or theme sites to the software installation whitelist should remove them until a fixed version of Firefox is available.
1. Select the "Options" dialog from the "Tools" menu
2. Select the "Web Features" icon
3. Click the "Allowed Sites" button on the same line as the "Allow web sites to install software" checkbox
4. Click the "Remove All Sites" button
5. Click "OK"
To prevent the script injection exploit from stealing cookies or other sensitive data disable Javascript before visiting untrustworthy sites. In Firefox:
1. Select the "Options" dialog from the "Tools" menu
2. Select the "Web Features" icon
3. Uncheck the "Enable Javascript" checkbox
4. Click "OK"
In the Mozilla Suite:
1. Select the "Preferences" dialog from the "Edit" menu
2. Click the tiny icon next to the "Advanced" item in the left pane to expand the list
3. Select "Scripts and Plug-ins"
4. Uncheck the "Navigator" checkbox under "Enable Javascript for"
5. Click "OK"
Re-enable Javascript for trustworthy sites that require it.
[ edited by deur1 on May 10, 2005 08:05 PM ]
Some web sites use Java script for all kinds of animation, forms, etc. Uncheck all of it. The USPS web site uses Java script when printing postage. Other than that, I really don't come across it too often.
Edited to add: If you come across a site that uses it, you should get a message that you have to enable it.
Cheryl
[ edited by CBlev65252 on May 10, 2005 06:33 PM ]
posted on May 10, 2005 06:37:51 PM new
You need to use Java Script to use the HTML editor in Vendio ...I found that out tonight . I guess I can trust Vendio....
-------------------------------------
posted on May 10, 2005 08:06:40 PM new
Thanks Cheryl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Baseball season has started,but they have it all wrong.3 strikes and you're out,4 balls you walk.I can tell you right now a man with 4 balls could not possibly walk
posted on May 11, 2005 05:32:32 AM newHowever, industry observers have long warned that the browser is more secure partly because of its relatively small user base. As Firefox's profile grows, attackers will increasingly target the browser...
Funny, I dont think this is anything I ever posted? Explained to me by an industry insider?
But we cant all be librarians, webmasters or professors, I guess.
. I guess I can trust Vendio....