CibbuanoCheck list of recent security flaws in FireFox and Winamp.
November 24th 2006 04:16
In the latest version (Version 2.0)
1. Just two days back a security flaw in the latest Version 2 that allows phishing attacks (Identity theft) have been identified. It happens through the password manager in the browser. This is a very serious flaw people. So take note of this. IE 7 too has the same problem but since IE 7 checks the login server more thoroughly it is not as bad as the Firefox 2 problem but still IE 7 users too be warned.
Solution: Disable the "Remember passwords for sites" option in the preferences.
So all users of Firefox ver 2.0 please take note of this and take the necessary action.
2.Crash Condition in Version 2.0 :
There is a crash condition that exists with Firefox Ver. 2.0 but it is not so common. This is what George Ou had to say about it in his Zdnet blog:
"any kind of flaw that can cause an application to crash has to be alarming because it might be exploitable. It sounds like some modifications were made to make the exploit condition less exploitable but a crash condition still exists." And he goes on "this may or may not still be a serious flaw since the exploit still crashes Firefox 2.0. At some point Mozilla would have to admit this is a problem and really fix it so that the browser doesn't crash at all."
Recent security flaws in the Older versions:
1.Mozilla Firefox and SeaMonkey Multiple Vulnerabilities. This can be exploited exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, and potentially compromise a vulnerable system. This is highly critical. Versions affected are:
Mozilla SeaMonkey 1.x
Solution:
Update to Mozilla Firefox 1.5.0.8 and SeaMonkey 1.0.6.
2.Two old issues still unpatched on FireFox:
There are still two 2 rated vulnerability (rated by Secunia out of 5 and it means it is less critical) that has still not been patched by Mozilla. They are:-
1.Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability
2.Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability
Check them out here. vulnerability 1 vulnerability 2
There were other issues like the ones that Bugtraq reported but Mozilla had taken care of that already.
WINAMP
All of you using the winamp version below 5.31 should upgrade to 5.31 or 5.32 if you haven't already.The two vulnerabilities Viz:- Winamp Lyrics3 and Ultravox Processing Buffer Overflows effects all previous versions of winamp and this can be used by malicious people to compromise a user's system.
Even though this problem was reported about a month back by Secunia I still wonder how many of you have updated to 5.31 or 5.3 2 which is the latest version of winamp. So I just wanted all of you who haven't heard about this to be aware and take the necessary steps.
| 87 |
| Vote |
Subscribe to this blog
Comment by Eric
Mal Gadget
How serious is the password save function flaw? I badly need it because I don't remember a good chunk of my logins and passwords.
Comment by Vimal
It is very critical. Disabling password manager and disabling remember passwords for sites are the solution advised. IE 7 too has the same issue but not as bad as FF 2 since IE 7 checks more thoroughly the login servers. The diff is when it comes to FF 2 the fake page need not not be in the same site where u wanna log in but when it comes to IE 7 the malicious page has to be somewhere within the login site.
To store ur passwords use roboform.RoboForm 6.7.9 which is free to try and after the trial period you are allowed to store like 30 passwors which would be more than enough for u i guess. But it uses military level encryption so even with that limitation it is better to use it. But if u want a complete free version but a bit inferior tool to store passwords try Free Password Manager Plus 1.6.3. As you might know you will find this both at download.com.
Btw thx for stopping by man.
Comment by Eric
Mal Gadget
Quick question...
Will any of these password managers import what is already saved in FF?
Comment by Nina
Comment by Vimal
Sorry abt the late reply. Roboform supports importing of passwords from IE autocomplete. However am not sure about Firefox since I haven't tried the latest version of roboform. May be the latest version might support it. But even if it does not support it then there is another tool that helps u do that. Follow this link
and have a look.Hope it helps.
-----------------------------------------------------------
Nina,
You don't have to remove the passwords from the password manager. Just don't let it fill the forms automatically.