Sophos
A popular Firefox add-on appears to have started leaking private information about every website that users visit to a third-party server, including sensitive data which could identify individuals or reduce their security.
Naked Security reader Rob Sanders alerted us to the activities of the recently updated ShowIP add-on for the Firefox browser.
Currently over 170,000 people are said to be using ShowIP.
What the add-on’s description doesn’t say is that since version 1.3 (released on April 19th 2012) it has also sent – unencrypted – the full URL of sites visited using HTTPS, and sites viewed in Private Browsing mode, to a site called ip2info.org.
The user never realises that the data has been shared with a third-party, unless they use special tools to monitor what data is being sent from their computer.
http://nakedsecurity.sophos.com/2012/05/01/privacy-concern-showip-firefox-add-on/
by certifiedbug on April 25, 2012
in Browser
Fixed in Firefox version 12.
MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds
MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors
MFSA 2012-31 Off-by-one error in OpenType Sanitizer
MFSA 2012-30 Crash with WebGL content using textImage2D
MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions
MFSA 2012-27 Page load short-circuit can lead to XSS
MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error
MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite
MFSA 2012-24 Potential XSS via multibyte content processing errors
MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface
MFSA 2012-22 use-after-free in IDBKeyRange
MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9
MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)
If you do not receive an update notice when using the application, select “Check for Updates” from the Help menu.
https://www.mozilla.org/firefox/12.0/releasenotes/
Download: https://www.mozilla.org/en-US/firefox/all.html
http://www.mozilla.org/en-US/firefox/11.0/releasenotes/
https://www.mozilla.org/en-US/thunderbird/11.0/releasenotes/
Every six weeks, another Firefox train leaves the station. This week we will release another update, but not on Tuesday as we typically do. There are two reasons for this:
This Tuesday is Microsoft’s scheduled monthly update to Windows, and those updates have interacted badly with our updates before. We don’t have reason to expect specific problems with this month’s updates, but we’d rather take a day or two to understand the impact before we update all of our users.
We’re also waiting for a report from ZDI about a security vulnerability that may affect this new version of Firefox. We expect to receive the report by end of day Monday. Once we can evaluate the vulnerability, we’ll know whether we need to include a fix in Firefox before the update is released.
UPDATE: The security bug reported by ZDI is one we had already identified and fixed through our internal processes. This eliminates the need for us to delay this week’s releases, and we will be shipping them later today. However, in order to understand the impacts of Microsoft’s “Patch Tuesday” fixes, we will initially release Firefox for manual updates only. Once those impacts are understood, we’ll push automatic updates out to all of our users.
If you do not receive an update notice when using the application, select “Check for Updates” from the Help menu.
Download Firefox http://www.mozilla.org/en-US/firefox/all.html
Download Thunderbird https://www.mozilla.org/en-US/thunderbird/all.html
