Mozilla, Skype Issue Updates

It seems as though every maker of desktop software applications is issuing updates to its products this week. Skype, the popular voice-over-Internet telephone service+software has a new version that squashes a security bug. Meanwhile Mozilla is pushing out an update to its Firefox Web browser that plugs at least 10 vulnerabilities.

The Skype flaw, discovered by researcher Aviv Raff, stems from the fact that Skype uses Internet Explorer's Web control to render internal and external HTML pages.

According to Raff, Skype uses an Internet Explorer web control within the application to render internal and external HTML pages. Raff writes on his blog: "Examples for this pages are the 'Send money via PayPal' dialog, or 'Add video to chat' dialog. Recently, I've discovered that Skype is running this web control in Local Zone."

Raff continues: "The more problematic issue here is that Skype runs the HTML pages is a not-locked Local Zone mode, the same as AOL's AIM does in the chat message window. This means, that if it is possible to inject a script to any of those pages, it is possible to execute code on the user's machine." Raff has a short video clip example on his blog that shows a Web site using this Skype flaw to launch the built-in calculator function in Windows (in an attack scenario, the bad guys would almost certainly launch something more useful, such as a command prompt that opens an Internet connection back to the attacker's system.)

Skype users can download the latest version (3.6.*.248) for Windows, Mac and Linux systems at the links provided here.

The Mozilla update brings Firefox to version 2.0.0.12. A list of the changes is available here. Firefox is designed to download updates when they are available and automatically install them. If you haven't seen a pop-up from Firefox saying that a new version has been installed, be patient. The Firefox installation on my home PC only just, last night, alerted me that it had been updated.

Finally, Microsoft said Thursday that it plans to release at least a dozen patch bundles next Tuesday as part of its monthly "Patch Tuesday" cycle, with fixes planned for Windows, Microsoft Office, Internet Explorer and Microsoft Internet Information Server (IIS). More than half of the patches will carry a "critical" rating, Redmond's most dire. As usual, Security Fix will have more details on the patches shortly after they are released next week.

By Brian Krebs | February 8, 2008; 11:02 AM ET
Categories: New Patches
Save & Share: Previous: The Storm Worm's Family Tree
Next: Hackers Exploit Adobe Reader Flaw

Comments

Rough 24 hours for Windows users - 81.01% affected
> http://secunia.com/blog/20
7 February 2008

...add to that the Firefox update and the M$ "Dirty Dozen" for Tuesday...

'Anything productive going to get done, as in "work"?

Posted by: J. Warren | February 8, 2008 12:29 PM | Report abuse

I don't like how the latest version of Firefox doesn't let you highlight an address in the address bar with one click anymore.

I copy and paste a lot of web addresses into discussion forums, and now I have to manually paint the address with my mouse, then right-click and choose "Copy." I used to be able to do this with a simple point-and-click.

If anyone knows of a workaround for this, I'm all ears.

Posted by: Heron | February 8, 2008 9:57 PM | Report abuse

Nix the previous comment. I guess my computer was just acting up, because when I closed Firefox then brought it back up, right-click copying in the location bar resumed working.

Posted by: Heron | February 8, 2008 10:12 PM | Report abuse

Dear Mr. Krebs:

You report that Firefox is
"designed to download updates when they are available and automatically install them."
Wouldn't this cause problems if the user is running in a non-administrative account?

Tom

Posted by: Thomas L Jones, PhD | February 9, 2008 2:36 PM | Report abuse

Alas, when I installed the latest version of Skype on my Windows XP and Windows Vista boots, I encountered difficulties. In the former case, sound from my headpiece microphone, which formerly came through loud and clear, was barely audible ; in the latter it could not be heard at all. I tried re-installing the earlier 3.6.0.244 version, but, somewhat to my surprise, this didn't help. What's going on ?...

Henri

Posted by: M Henri Day | February 9, 2008 5:31 PM | Report abuse

@Tom: Wouldn't this cause problems if the user is running in a non-administrative account?

This is a potential problem, depending on how, and to which location in the filesystem, Firefox is installed. This is from the release notes for version 2.0.0.12:
http://www.mozilla.com/en-US/firefox/2.0.0.12/releasenotes/

"Software Update will not work if Firefox is installed to a location on your disk to which you do not have write access, since Software Update needs to replace or create files in this location.'

(A similar note has been in the notes for all recent releases.)

Installing software is one of the legitimate reasons for using an administrator account.

Posted by: Rich Gibbs | February 9, 2008 7:00 PM | Report abuse

The latest version of Firefox still has the option of "ask me what to do" when updates are found rather than automatically downloading and installing them. When it notifies you of an update, switch to your admin account and then update.
Tools>Options>Advanced>Update is the location for the "ask me what to do" option.

Posted by: A | February 10, 2008 7:45 PM | Report abuse

Claes from Stockholm Sweden here:) I have uppdated to Firefox 2.0.0.12 on three out of five computers. The Firefox on the updated computers tend to freeze from time to time. Looking forward to a more stable version.

Best regards Claes

Posted by: Claes | February 20, 2008 1:30 PM | Report abuse

Regarding your article on A2 finding Ultimate Security on a routine scan. I have had A2 for sometime now & it has never found this, until today after I'd downloaded Comodo's Firewall. I assume this is part of the package as it scans your computer before installing itself.

Posted by: Eric Sheldon | February 23, 2008 10:25 AM | Report abuse

these trees just their neighborhood by themselves exploring It is with my

Posted by: universityau | February 26, 2008 1:58 PM | Report abuse

plants personalities. to it cutting off acorns

Posted by: freeland | February 27, 2008 12:46 AM | Report abuse

Hi! http://cheap-drugs.net/product_zithromax.htm zithromax

Posted by: zithromax | March 26, 2008 3:44 PM | Report abuse

Hi! http://cheap-drugs.net/product_levitra.htm levitra

Posted by: levitra | March 27, 2008 4:16 AM | Report abuse

Hi! https://labs.mozilla.com/forum/index.php?action=profile;u=1808 zithromax

Posted by: zithromax | April 10, 2008 3:15 PM | Report abuse

Useful site. Thanks.
http://www.alz-edu.org/webwizforum/forum/forum_posts.asp?TID=957 stop smoking patch