Network News

X My Profile
View More Activity

Security Updates for Firefox, Safari

Both Apple and Mozilla issued updates late Wednesday to plug security holes in their Web browser software.

The Mozilla update fixes a single critical vulnerability with the way Firefox handles "Javascript garbage collection." Mozilla says this update was issued "primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past."

Mozilla does note, however, that its Thunderbird e-mail client shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. "This is not the default setting and we strongly discourage users from running JavaScript in mail," Mozilla warned.

Apple's patches fix at least four separate flaws in Safari. All four are present in the Windows version of Safari, while the version designed for Macs contain just two of the vulnerabilities. Windows users can grab the latest version using the bundled Apple Software Update application, while Mac users can fetch the fixes through the built-in Software Update feature.

By Brian Krebs  |  April 17, 2008; 9:02 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Identity Theft Smash & Grab, CEO Style
Next: Windows Vista Service Pack 1: Not for the Impatient

Comments

It took me about thirty seconds to apply the Firefox security update, after which I was brought right back to the Security Fix blog. Kudos to Mozilla for making security updates so easy to install. I wish the other major application makers (Adobe, Sun, etc.) could do the same.

Posted by: SSMD | April 17, 2008 9:16 AM | Report abuse

NoScript is one of the best security features you can add to Firefox. I recommend anyone get it.

Firefox Addon Page:
https://addons.mozilla.org/en-US/firefox/addon/722

NoScript's web site:
http://noscript.net

Posted by: DB | April 17, 2008 10:18 AM | Report abuse

NoScript is now at V. 1.6 "Featherlight Armor"

NoScript is licensed under the GNU Public License. http://www.gnu.org/copyleft/gpl.html

In the interest of National Security, computer users should ensure that all software in their computer is licensed under the GPL. If not, the Department of Homeland Security advises you to erase it from your system and install Linux immediately -- unless your name is Osama bin Laden in which case they advise you to use Windows and Symantec "security" products so that they can hack into your computer.

The Washington Post still does not allow readers to post Comments with Javascript turned off. This is a threat to your readers and a threat to the security of the United States of America. Please, in the name of Bush "Pioneer" Tom Ridge and the Bush "Pioneers" and all the hackers working in the RNC's Democrat Surveillance Program, allow us to post comments in the Washingtonpost with Javascript turned off.

Posted by: Singing Senator | April 17, 2008 10:30 AM | Report abuse

Looks to me like Javascript *is* enabled by default in Thunderbird. There is no UI control for it, but if you go to Tools > Options, select the Advanced > General panel and open up the Config Editor, you can find the pref setting "javascript.enabled". The default setting is "true".

Posted by: Chris | April 17, 2008 10:41 AM | Report abuse

To: DB

Whether your post was tongue in cheek or not it's highly obnoxious to always hear people trolling for an opportunity to insert "install Linux" into every conversation.

Posted by: John | April 17, 2008 11:02 AM | Report abuse

Lovely, another Apple update. Which means that stupid Apple Software Update app will tell me that there's an update for Safari.....a program I don't use, have, or want. But it'll tell me on an infuriating fairly frequent basis....oh, and it'll also tell me to install iTunes, another don't use/have/want program.

Posted by: Kim | April 17, 2008 11:08 AM | Report abuse

To John:

Actually, my post was the helpful one about installing NoScripts. Singing Senator was the Linux-troll.

Note that signatures are at the bottom of posts in this comment format. Why its different from other articles, I don't know. I can see how going between the two can lead to confusion.

Posted by: DB | April 17, 2008 11:29 AM | Report abuse

To Kim:

You should be able to highlight the programs in the Apple Software Update app and hit the delete button to remove them until the next update comes out. This should keep the window from popping up every time you turn your computer on (because it has updates in the queue) and make it only pop up when a new update comes out.

Unfortunately, in order to keep Quicktime up to date, you'll need to keep the ASU program.

Posted by: DB | April 17, 2008 11:42 AM | Report abuse

To Chris -

Thanks for the heads up that Javascript *is* enabled by default in Thunderbird. (Fixed now.) Granted, I'm running an older version (1.5.*), but it's dependable, versus others/newer ones that have had many reports of e-mails not showing up or disappearing.

Posted by: igorok | April 17, 2008 12:14 PM | Report abuse

The Firefox upgrade isn't completely perfect. It does not work well if you upgrade while logged in as a non-admin.

Posted by: A | April 17, 2008 8:58 PM | Report abuse

@Chris: You're right about the config setting, but note also that "javascript.allow.mailnews" is set to false by default. I think that overrides the other, because a look at Mozilla's patch pages indicates that they have disabled Javascript in Tbird until they can fix the bug. This is supposed to be happening in v2.0.0.14, but that hasn't been shipped yet.

@A: I never have a problem doing Firefox upgrades, and I don't do them as Admin. Is it possible that you installed Ffox as Admin, and that's the problem? I installed Ffox as a regular user. Maybe that's the difference.

Posted by: Brendan | April 17, 2008 9:19 PM | Report abuse

@Chris, igorok:

Mail windows are a special type and obey the "javascript.allow.mailnews" setting. This has always been set to false in Thunderbird. There are two settings because the original Mozilla Suite was a combined browser and mail client. If you opened a "browser" window in Thunderbird (there's an add-on that does this for some reason) that window would obey the javascript.enabled pref.

Posted by: Dan Veditz | April 18, 2008 2:03 PM | Report abuse

"Windows users can grab the latest version using the bundled Apple Software Update application"

How many Windows users end up with an unwanted Safari browser when using the Software Update feature?

"Safari being automatically checked and enabled for download and installation on Windows machines was going a step too far."

http://isc.sans.org/diary.html?storyid=43

Bad Apple!

Posted by: TJ | April 21, 2008 3:50 PM | Report abuse

Oops, wrong link above. Here is the correct one:

http://isc.sans.org/diary.html?storyid=4313

Posted by: TJ | April 21, 2008 3:53 PM | Report abuse

One aspect of (Firefox) security that is often overlooked is all the addons users get to run with this and other programs. Loading plugins and scripts to make browsing easier can come at a price if they provide a backdoor for someone to leech your data or zombify your machine. I wrote about improving Firefox security on Sciencetext.com some time ago:

http://www.sciencetext.com/remove-firefox-addons-improve-security.html


db

Posted by: David Bradley | April 24, 2008 4:57 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company