Firefox 3.6.8 fixes issues found in previous versions of Firefox 3.6 and a single stability issue affecting some pages containing plugins.

If you do not receive an update notice when using the program, select “Check for Updates” from the Help menu.

Manual Download

Certifiedbug.com

Firefox 3.6.8 Released

Firefox 3.6.7 fixes several security and stability issues found in previous versions of Firefox 3.6:

If you do not receive an update notice when using the program, select “Check for Updates” from the Help menu.

Manual Download

Certifiedbug.com

Firefox 3.6.7 Released

The SpringBoard Series Blog

This weeks post is from Carl Luberti, a Senior Support Escalation Engineer with the Internet Explorer team.

To start, I wanted to address that Internet Explorer 8 has over 1300 Group Policy entries that can be configured, which is great for keeping your environment managed and safe. That can also create some challenges in wrapping your head around all of the possibilities, so I wanted to begin with a list of 10 entries that are usually the most asked-about control locations for IE8 from a support perspective. Hopefully, this will give a bit of a “jumping off” point to managing Internet Explorer with Group Policy. It’s one of the most powerful features of using Internet Explorer 8 in an Active Directory domain, so I want to make this easier to use and understand.

Complete Article

Certifiedbug.com

Internet Explorer 8, Understanding Group Policy Settings

Mozilla Security Announcement.

Mozilla Sniffer
An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.

If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location. Uninstalling the add-on stops this behavior. Anybody who has installed this add-on should change their passwords as soon as possible.

Mozilla Sniffer has been downloaded approximately 1,800 times since its submission and currently reports 334 active daily users. All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected.

CoolPreviews
A security escalation vulnerability was discovered in version 3.0.1 of the CoolPreviews add-on. The vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer. Version 3.0.1 and all older versions have been disabled on addons.mozilla.org, and a fixed version was uploaded and reviewed within a day of the developer being notified.

Proof of concept code for this vulnerability was posted on this blog, but no known malicious exploits have been reported so far. If a user has a vulnerable version installed and clicks on a malicious link that targets the add-on, the code in the malicious link will run with local privileges, potentially gaining access to the file system and allowing code download and execution.

All users of CoolPreviews should update to the latest version as soon as possible in order to avoid exposure.

Currently, 177,000 users have a vulnerable version installed. This is less than 25% of the current install base and it will continue to decrease as more users are prompted to update to a new version. Vulnerable versions will also be blocklisted very soon.

http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/

Certifiedbug.com

Firefox: Two Add-on security vulnerabilities

Hot on the heels of Firefox 3.6.4 Mozilla skips 3.6.5 and releases 3.6.6 ahead of schedule to address Flash plug-in crashes and performance slowdowns.

Manual Download

Certifiedbug.com

Firefox 3.6.6 Released

Firefox 3.6.4 fixes several security issues. Four critical, two moderate, one low.

MFSA 2010-33 User tracking across sites using Math.random()
MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present
MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes
MFSA 2010-30 Integer Overflow in XSLT Node Sorting
MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
MFSA 2010-28 Freed object reuse across plugin instances
MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)

http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.4

The new version also fixes some stability issues. Complete list of changes

If you don’t receive an update notice when using the program, select “Check for Updates” from the Help menu.

Firefox 3.6.4 Download

Certifiedbug.com

Firefox 3.6.4 Released

Interesting sleuthing by Mark, Technical Fellow in the Platform and Services Division at Microsoft.

While I long for the day when I no longer experience the effects of buggy software, there’s something rewarding about solving my own troubleshooting cases. In the process, I often come up with new techniques to add to my bag of tricks and to share with you in my “Case of the Unexplained…” presentations and blog posts. The other day I successfully closed an especially interesting case that opened when Internet Explorer (IE) crashed as I was reading a web page:

Article and resolution at TechNet: http://blogs.technet.com/b/markrussinovich/archive/2010/06/01/3335060.aspx

Certifiedbug.com

Russinovich-The Case of the Random IE Crash

This vulnerability affects Opera for Windows and Mac.

“Multiple asynchronous calls to a script that modifies the document contents can cause Opera to reference an uninitialized value, which may lead to a crash. To inject code, additional techniques will have to be employed.”

http://www.opera.com/support/new2opera/

http://www.opera.com/support/kb/view/953/

Certifiedbug.com

Opera releases v.10.53 to patch extremely severe vulnerability

SANS Internet Storm Center.
Published: 2010-04-21

McAfee’s “DAT” file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of “ePolicyOrchestrator”, which is used to update virus definitions across a network, appears to have lead to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update “DAT” files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity.

http://isc.sans.org/diary.html?storyid=8656

Anecdotal numbers of affected computers could reach a final tally that reaches into the millions.

Nilay Patel at Engadget quotes a statement from McAfee

The faulty update has been removed from McAfee download servers for corporate users, preventing any further impact on those customers. We are not aware of significant impact on consumer customers and believe we have effectively limited such occurrence.

http://www.engadget.com/2010/04/21/mcafee-update–shutting-down-xp-machines/

McAfee Corporate KnowledgeBase ID: KB68780

http://vil.nai.com/vil/5958_false.htm

Certifiedbug.com

McAfee botched antivirus update shuts down corporate customers

Upcoming Adobe Reader and Acrobat 9.3.2 and 8.2.2 to be Delivered by New Updater

Adobe Reader Blog
Steve Gottwals

On Tuesday, April 13, 2010, as part of our quarterly update, we will activate the new updater for all users needing Adobe Reader and Acrobat 9.3.2 and 8.2.2 for Windows and Macintosh. As of yesterday, April 7, 2010, we have been activating our new updater for those users who are not yet up-to-date with our latest versions.

http://blogs.adobe.com/adobereader/2010/04/upcoming_adobe_reader_and_acro.html

Given the frequent vulnerabilities found in Adobe products an updater is good news for end-users.

http://certifiedbug.com/blog/tag/adobe/

Certifiedbug.com

Updater for Adobe Reader and Acrobat