Mozilla Foundation Security Advisory 2007-38

Title: Memory corruption vulnerabilities (rv:1.8.1.10) Impact: High Announced: November 26, 2007 Products: Firefox, SeaMonkey Fixed in: Firefox 2.0.0.10 SeaMonkey 1.1.7

Description

The Firefox 2.0.0.10 update contains fixes for three bugs that improve the stability of the product. These crashes showed some evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Mozilla Foundation Security Advisory 2007-39

Title: Referer-spoofing via window.location race condition Impact: High Announced: November 26, 2007 Reporter: Gregory Fleischer Products: Firefox, SeaMonkey Fixed in: Firefox 2.0.0.10 SeaMonkey 1.1.7

Description

Gregory Fleischer demonstrated that it was possible to generate a fake HTTP Referer header by exploiting a timing condition when setting the window.location property. This could be used to conduct a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header as protection against such attacks.

When navigation occurs due to setting window.location the Referer header is supposed to reflect the address of the content which initiated the script. Instead, the referer was set to the address of the window (or frame) in which the script was running, and this vulnerability arises from that tiny difference. Using a modal alert() dialog Fleischer was able to suspend the attack script so that it did not load the target URI until after the attacker's initial content had been replaced by the intended referring page. When the Referer is set to the current URI of the script's window it is no longer the correct one.

For more info>>>

Mozilla Foundation Security Advisory 2007-37

Source- mozilla.org

Mozilla Foundation Security Advisory 2007-37

Title: jar: URI scheme XSS hazard Impact: High Announced: November 26, 2007 Reporter: Jesse Ruderman, Petko D. Petkov, beford.org Products: Firefox, SeaMonkey

Fixed in: Firefox 2.0.0.10 SeaMonkey 1.1.7

Description

The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives containing signatures in java-archive format.

Jesse Ruderman and Petko D. Petkov point out this means that sites that allow users to upload binary content in zip format are effectively allowing users to install web pages on their site, and these can be used to perform Cross-Site Scripting (XSS) attacks.

The blogger at beford.org noted that redirects confused Mozilla browsers about the true source of the jar: content: the content was wrongly considered to originate with the redirecting site rather than the actual source. This meant that an XSS attack could be mounted against any site with an open redirect even if it didn't allow uploads. A published proof-of-concept demonstrates stealing the GMail contact list of users logged-in to GMail.

Support for the jar: URI scheme has been restricted to files served with a Content-Type header of application/java-archive or application/x-jar. Web applications that require signed pages must make sure their .jar archives are served with this Content-Type. Sites that allow users to upload binary files should make sure they do not allow these files to have one of these two MIME types.

Unable to save or download files

If you are unable to save or download files in mozilla than-

Clear the download history

Click "Tools -> Downloads -> Clean Up" in the Mozilla Firefox menu. If if clearing the list doesn't help or it causes Firefox to hang or crash (or if the Downloads window is already empty), you will need to manually delete the download history, as follows:

Manually delete download history

1. Exit Mozilla Firefox completely

2. Open the Firefox profile folder.

3. Delete the downloads.rdf file (it will be regenerated when needed).

Prevention

You may be able to prevent this problem by setting Mozilla Firefox not to save a download history:

• Mozilla Firefox 2: Click "Tools -> Options -> Privacy / History" and uncheck "Remember what I've downloaded". (As an alternative, under "Privacy / Private Data" select "Always clear my private data when I close Firefox", then click the "Settings..." button and select "Download History" in the "Clear Private Data" window.)

• Mozilla Firefox 1.5: Click "Tools -> Options -> Privacy -> Download History" and select either "Upon successful download" or "When Firefox exits" from the "Remove files from the Download Manager" drop-down list.

source-kb.mozillazine.or

Updating add-ons

In Firefox and Thunderbird, add-ons (extensions and themes) can be updated using the Software Update feature. To perform an update check:

• Firefox and Thunderbird: "Tools -> Add-ons -> Find Updates"

Settings to automatically check for updates to installed add-ons are found under "Tools -> Options -> Advanced -> Update" in Firefox and Thunderbird and under "Edit -> Preferences -> Software Installation

Updating incompatible add-ons for a new application version

The Add-ons dialog will inform you if an existing add-on is incompatible with the current version of your application. Thunderbird will also disable the add-on and prevent you from enabling it by right clicking on the add-on in "Tools -> Add-ons" and pressing the enable button. The first thing to try is to check for updates to see if a new version is available. If one isn't found, you can override the compatibility check. Most add-ons will work if you do that, but it can cause the application to behave improperly. If that happens disable or uninstall the extension from the Add-ons dialog (from Safe Mode if necessary).

Migrating from Netscape 6 or 7

Your Netscape 6 or 7 profiles will be available to Mozilla. However, sharing profiles between Netscape 6 or 7 and Mozilla can cause problems.

Mozilla automatically uses your Netscape profile unless you have multiple profiles, in which case Mozilla prompts you to choose a profile. To avoid accidentally opening Mozilla with your Netscape profile, create a new, extra profile using your Netscape’s Profile Manager before installing Mozilla.

It is worth repeating that you should not share profiles between Mozilla and Netscape 6 or 7.

AOL Mail and Netscape WebMail

You can use Mozilla's mail client to access AOL Mail. To set up your AOL account on Mozilla Mail & Newsgroups, create a IMAP mail account, set the incoming server to imap.aol.com, and set the outgoing server to smtp.aol.com. For accounts with AOL outside of U.S. and CompuServe 2000, see http://members.aol.com/adamkb/aol/mailfaq/imap/#foreign for server addresses. For instructions on how to set up an IMAP account, consult Mozilla's on-screen Help.

Netscape 6 and 7 has Netscape WebMail integrated into its mail client. Mozilla does not have such integration, but you can access Netscape WebMail via the Web at http://webmail.netscape.com.

Importing user data from AOL

Mozilla cannot import data from AOL directly. To import mail saved on your computer (Filing Cabinet) and addresses from AOL, you must use third-party utilities to export your data in formats Mozilla can import. You may try the utilities listed in:

http://www.emailman.com/conversion/

(mozilla.org does not recommend or support any software listed on the Web page.)

For general instructions on importing mail and addresses, read Migrating from another mail client.

Migrating from Microsoft Internet Explorer

Migrating from Microsoft Internet Explorer is easy. Mozilla automatically imports your Internet Explorer Favorites. To access them, open the Bookmarks menu and select Imported IE Favorites.

Synchronizing your favorites and bookmarks manually

Mozilla automatically imports your favorites only once. If you have changed your favorites, you can re-import your favorites manually.

First, you need to export your favorites in HTML format. On Mac OS,

1. Open Internet Explorer.

2. Open the Favorites menu and select Organize Favorites.

3. Open the File menu and select Export Favorites.

4. In the dialog that appears, save the file.

On Windows, to export your favorites,

1. Open Internet Explorer.

2. Open the File menu and select Import and Export.

3. Follow the instructions in the wizard that appears to save your favorites to a file.

To import your favorites to Mozilla,

1. Open Mozilla. In Mozilla Navigator, open the Bookmarks menu and choose Manage Bookmarks.

2. In the Bookmarks Manager, open the Tools menu and choose Import.

3. Open the HTML file you just saved in the file picker.

Migrating from Microsoft Outlook or Outlook Express

To import your old mail settings, mail, and addresses:

1. Open Mozilla Mail & Newsgroups: open the Window menu and choose Mail & Newsgroups.

2. In Mozilla Mail & Newsgroups, open the Tools menu and choose Import.

3. Following the instruction of the Import dialog.

Note: importing settings, mail, and addresses from Microsoft Outlook or Outlook Express requires that the program is still installed on your computer. You may uninstall Outlook or Outlook Express afterwards.

Note: Mozilla does not support special characters (e.g. / and #) in mail folders. If you receive the following error: Unable to import mailboxes, cannot create proxy object for destination mailboxes, then open Outlook (or Outlook Express) and rename your folders. Then try importing again.

Source- www.mozilla.org

What's New in Mozilla 1.7

New Features and Fixes

• Official Mozilla 1.7 builds for Windows, Linux, and Mac all contain the Talkback crash reporting utility. Help us make 1.7 the most stable release yet; please submit your crash reports.
• A new option to prevent sites from using JavaScript to block the browser's context menu.
• A new set of icons for files that are associated with Mozilla on Windows.
• Password Manager has a "show passwords" mode which will display saved passwords. You will need to enter your master password if you are using one.
• The "Set As Wallpaper" feature now has a confirmation dialog.
• Linux GTK2 builds have improved support for OS themes.
• Cookie dialogs have been reworked to make them more usable.
• Date handling, especially on OS X, has been improved.
• It is now possible to fine-tune Mozilla's pop-up blocking using two preferences (dom.popup_maximum and dom.popup_allowed_events) but there's no UI for that yet. Even without a UI, users should notice a greater variety of pop-ups blocked (primarily mouseover pop-ups) and a limit of 20 or so open at one time - regardless of whether pop-up blocking is active. This will provide some protection from sites that open hundreds of windows in a loop.
• Downloaded files are now moved to the target directory as soon as the user selects the desired location. This was the frequently reported bug 55690.
• There is now user interface to activate Smooth Scrolling (Preferences -> Appearance).
• Mozilla now supports basic FTP upload.