FIREFOX 3.0 and lower vulnerability

--

_________

June 19, 2008

Re: FIREFOX 3.0 and lower vulnerability

So much for all those people who claim IE must be removed and replaced with

something else, Firefox being the most frequently mentioned.

How long do you think it will take to fix it?

--

Gary S. Terhune

MS-MVP Shell/User

> http://blogs.zdnet.com/security/?p=1288

"MEB" <meb@not here@hotmail.com> wrote in message

news:%234bxhlj0IHA.2188@TK2MSFTNGP04.phx.gbl...

>

> Code execution vulnerability found in Firefox 3.0

>

> Ryan Naraine: Just hours after the official release of the

> latest refresh of Mozilla's flagship browser, an unnamed researcher has

> sold

> a critical code execution vulnerability that puts millions of Firefox3.0

> users at risk of PC takeover attacks.

>

>

> --

> MEB

> http://blogs.zdnet.com/security/?p=1288

> --

> _________

>

June 19, 2008

Re: FIREFOX 3.0 and lower vulnerability

What does this have to do with Windows 98. Firefox 3.0 is incompatible with

Win98.

"MEB" <meb@not here@hotmail.com> wrote in message

news:%234bxhlj0IHA.2188@TK2MSFTNGP04.phx.gbl...

>

> Code execution vulnerability found in Firefox 3.0

>

> Ryan Naraine: Just hours after the official release of the

> latest refresh of Mozilla's flagship browser, an unnamed researcher has

sold

> a critical code execution vulnerability that puts millions of Firefox3.0

> users at risk of PC takeover attacks.

>

>

> --

> MEB

> --

> _________

>

June 19, 2008

Re: FIREFOX 3.0 and lower vulnerability

While you have a legitimate point, think of it as part of an ongoing

discussion about various OSes and their comparative "vulnerabilities".

Whenever someone posts a problem with IE or OE it's a good bet that someone

will slam them for even using those apps, saying they should use Thunderbird

or Firefox (or whatever), instead, because these latter are so totally safe

from intrusion. Or they go even further and claim that Windows is a disaster

due to so many vulnerabilities, and some other OS should be used instead,

ignoring the fact that if their recommendation owned 80% to 90% of the

market, it would be considered just as bad as Windows is now considered.

Likewise, MEB recently posted two CERTs exposing vulnerabilities in the

latest QuickTime and SNMPv3, neither of which are MS products but both of

which are serious problems for Windows users in general. My response was

that of course EVERY bit of software potentially contains code which makes

it vulnerable to attack in some way, and for that reason, every sane person

should throw away their computers and all computer-based items immediately

(which means nearly every appliance in a modern person's panoply -- cell

phone, Blackberries, I-whatevers), and stop using things like banks and any

other critical service that uses computers

I was being facetious, of course...I think... My point is that you don't

totally outlaw automobiles and return to the slow-poke age of horsecrap

everywhere, just because a relatively few people get hurt or killed every

year, even when they're driving the most modern automobile available. It's a

baby & bathwater kind of thing.

The tie-in to Windows 9x is that more and more companies are no longer

supporting 9x in any way, and IF you're really worried about all that stuff,

you should definitely quit using 9x altogether. Personally, some standard

layers of anti-malware protection and sensible habits, plus the fact that in

most cases the problem is fixed before the public (including the bad guys)

even know there is one, make nearly all those vulnerabilities irrelevant,

even if they remain unpatched. (Just as an added comment, this is why

auto-updaters, or at least some very in-your-face and timely update

notifications, ARE so important. Problem is, you can't run them on Windows

9x because they suck up the puny Resources 9x is cursed with.) The real

problem for Win98 users will be when there are no longer any AV or other

anti-malware or firewall apps that work on them.

--

Gary S. Terhune

MS-MVP Shell/User

>> http://blogs.zdnet.com/security/?p=1288

"Julie" <julieb@bellsouth.net> wrote in message

news:%23knLZtk0IHA.2408@TK2MSFTNGP04.phx.gbl...

> What does this have to do with Windows 98. Firefox 3.0 is incompatible

> with

> Win98.

>

> "MEB" <meb@not here@hotmail.com> wrote in message

> news:%234bxhlj0IHA.2188@TK2MSFTNGP04.phx.gbl...

>>

>> Code execution vulnerability found in Firefox 3.0

>>

>> Ryan Naraine: Just hours after the official release of the

>> latest refresh of Mozilla's flagship browser, an unnamed researcher has

> sold

>> a critical code execution vulnerability that puts millions of Firefox3.0

>> users at risk of PC takeover attacks.

>>

>>

>> --

>> MEB

>> http://peoplescounsel.orgfree.com

>> --

>> _________

>>

>

June 19, 2008

Re: FIREFOX 3.0 and lower vulnerability

In part, Gary has responded; however, the point you apparently missed is

that this vulnerability IS present in prior versions, the party who

discovered and documented the vulnerability waited until the 3.0 version to

*cash in* [get paid for the discovery]. So likely, any Firefox 2.+ version

also contains this vulnerability.. whether it will be patched in those

versions is unknown.

NOTE that it says *and lower* in the heading.

--

MEB

| > http://blogs.zdnet.com/security/?p=1288

--

_________

"Julie" <julieb@bellsouth.net> wrote in message

news:%23knLZtk0IHA.2408@TK2MSFTNGP04.phx.gbl...

| What does this have to do with Windows 98. Firefox 3.0 is incompatible

with

| Win98.

|

| "MEB" <meb@not here@hotmail.com> wrote in message

| news:%234bxhlj0IHA.2188@TK2MSFTNGP04.phx.gbl...

| >

| > Code execution vulnerability found in Firefox 3.0

| >

| > Ryan Naraine: Just hours after the official release of the

| > latest refresh of Mozilla's flagship browser, an unnamed researcher has

| sold

| > a critical code execution vulnerability that puts millions of Firefox3.0

| > users at risk of PC takeover attacks.

| >

| >

| > --

| > MEB

| > --

| > _________

| >

|

June 20, 2008

Re: FIREFOX 3.0 and lower vulnerability

Isn't FFv.x.x a shell technology that rides on top of windows explorer? If

the internet browser is vulnerable, what about explorer?

June 20, 2008

Re: FIREFOX 3.0 and lower vulnerability

Not quite sure what the question relates too.. the code for Firefox is what

makes the vulnerability to attack, no vulnerability in the code, the attack

point doesn't exist.

--

MEB

--

_________

"Jim" <invalid@example.invalid> wrote in message

news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

| Isn't FFv.x.x a shell technology that rides on top of windows explorer? If

| the internet browser is vulnerable, what about explorer?

|

June 20, 2008

Re: FIREFOX 3.0 and lower vulnerability

If you look at MS Autoruns with MS entries showing and then not. You will

see that the software [*.dll] running the MSIE is Windows Explorer. The IE

is also just a shell.

"MEB" <meb@not here@hotmail.com> wrote in message

news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...

> Not quite sure what the question relates too.. the code for Firefox is

what

> makes the vulnerability to attack, no vulnerability in the code, the

attack

> point doesn't exist.

>

> --

> MEB

> --

> _________

>

> "Jim" <invalid@example.invalid> wrote in message

> news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

> | Isn't FFv.x.x a shell technology that rides on top of windows explorer?

If

> | the internet browser is vulnerable, what about explorer?

> |

>

June 20, 2008

Re: FIREFOX 3.0 and lower vulnerability

Thought I'd toss in that IE is not just a browser but is also the shell for

HTML Help and an increasing number of Windows applications' GUIs.

--

Gary S. Terhune

MS-MVP Shell/User

>> http://peoplescounsel.orgfree.com

"Jim" <invalid@example.invalid> wrote in message

news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...

> If you look at MS Autoruns with MS entries showing and then not. You will

> see that the software [*.dll] running the MSIE is Windows Explorer. The IE

> is also just a shell.

> "MEB" <meb@not here@hotmail.com> wrote in message

> news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...

>> Not quite sure what the question relates too.. the code for Firefox is

> what

>> makes the vulnerability to attack, no vulnerability in the code, the

> attack

>> point doesn't exist.

>>

>> --

>> MEB

>> --

>> _________

>>

>> "Jim" <invalid@example.invalid> wrote in message

>> news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

>> | Isn't FFv.x.x a shell technology that rides on top of windows explorer?

> If

>> | the internet browser is vulnerable, what about explorer?

>> |

>>

>

June 20, 2008

Re: FIREFOX 3.0 and lower vulnerability

Ah, okay, but then you do understand that Explorer is the graphical

interface to {most} of Windows GUI aspects. I see your point though.

Try using Dependency Walker on IExplore, C:\Program Files\Mozilla

Firefox\firefox.exe, and a few other programs. Profile them ...

If your feeling like you want the *big picture*, run filemon and/or regmon

while you do this activity... after you run through those, open some of your

favorite programs also while running filemon/regmon..

So that still doesn't explain your original question. The code error is in

Firefox, the vulnerability is fixed if/when that code is fixed. IS Explorer

vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the unfixed

Firefox running which supplies/provides the vulnerability.

--

MEB

--

_________

"Jim" <invalid@example.invalid> wrote in message

news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...

| If you look at MS Autoruns with MS entries showing and then not. You will

| see that the software [*.dll] running the MSIE is Windows Explorer. The IE

| is also just a shell.

| "MEB" <meb@not here@hotmail.com> wrote in message

| news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...

| > Not quite sure what the question relates too.. the code for Firefox is

| what

| > makes the vulnerability to attack, no vulnerability in the code, the

| attack

| > point doesn't exist.

| >

| > --

| > MEB

| > --

| > _________

| >

| > "Jim" <invalid@example.invalid> wrote in message

| > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

| > | Isn't FFv.x.x a shell technology that rides on top of windows

explorer?

| If

| > | the internet browser is vulnerable, what about explorer?

| > |

| >

|

June 20, 2008

Re: FIREFOX 3.0 and lower vulnerability

Yes. This is because we all are working online almost all the time and in my

configuration I am always online from network bootup. Basically, working

like xp with a win98se OS and not as much system resources...but with BB and

smart choices of running services, ha! I am doing better than most with

xp...willard hates me... [see willard crash on win98 on youtube].

"Gary S. Terhune" <none> wrote in message

news:%23J8fAgo0IHA.2188@TK2MSFTNGP04.phx.gbl...

> Thought I'd toss in that IE is not just a browser but is also the shell

for

> HTML Help and an increasing number of Windows applications' GUIs.

>

> --

> Gary S. Terhune

> MS-MVP Shell/User

> http://grystmill.com

>

> "Jim" <invalid@example.invalid> wrote in message

> news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...

> > If you look at MS Autoruns with MS entries showing and then not. You

will

> > see that the software [*.dll] running the MSIE is Windows Explorer. The

IE

> > is also just a shell.

> > "MEB" <meb@not here@hotmail.com> wrote in message

> > news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...

> >> Not quite sure what the question relates too.. the code for Firefox is

> > what

> >> makes the vulnerability to attack, no vulnerability in the code, the

> > attack

> >> point doesn't exist.

> >>

> >> --

> >> MEB

> >> http://peoplescounsel.orgfree.com

> >> --

> >> _________

> >>

> >> "Jim" <invalid@example.invalid> wrote in message

> >> news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

> >> | Isn't FFv.x.x a shell technology that rides on top of windows

explorer?

> > If

> >> | the internet browser is vulnerable, what about explorer?

> >> |

> >>

> >

>

June 20, 2008

Re: FIREFOX 3.0 and lower vulnerability

You know, I can't make much sense out of what you wrote. What does my

addendum above have to do with always being online? What's "BB"? And what

makes you think that you're doing better than "most" people who use XP?

That's pure BS. Typical false logic of comparing your obsessively tuned but

obsolete OS with one that is a powerhouse and runs much better than 9x if

properly managed. In fact, XP is much better idiot-proofed than 9x, so I'd

say you must be comparing yourself to particularly stupid crowd of idiots if

they're having more trouble with WinXP than you are with 9x.

Why is it that 9x enthusiasts insist on comparing themselves to incompetent

idiots? Because that's the only way they can win the argument, perhaps?

--

Gary S. Terhune

MS-MVP Shell/User

http://secunia.com/advisories/30761/

"Jim" <invalid@example.invalid> wrote in message

news:u6AQQEu0IHA.3920@TK2MSFTNGP02.phx.gbl...

> Yes. This is because we all are working online almost all the time and in

> my

> configuration I am always online from network bootup. Basically, working

> like xp with a win98se OS and not as much system resources...but with BB

> and

> smart choices of running services, ha! I am doing better than most with

> xp...willard hates me... [see willard crash on win98 on youtube].

> "Gary S. Terhune" <none> wrote in message

> news:%23J8fAgo0IHA.2188@TK2MSFTNGP04.phx.gbl...

>> Thought I'd toss in that IE is not just a browser but is also the shell

> for

>> HTML Help and an increasing number of Windows applications' GUIs.

>>

>> --

>> Gary S. Terhune

>> MS-MVP Shell/User

>> http://grystmill.com

>>

>> "Jim" <invalid@example.invalid> wrote in message

>> news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...

>> > If you look at MS Autoruns with MS entries showing and then not. You

> will

>> > see that the software [*.dll] running the MSIE is Windows Explorer. The

> IE

>> > is also just a shell.

>> > "MEB" <meb@not here@hotmail.com> wrote in message

>> > news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...

>> >> Not quite sure what the question relates too.. the code for Firefox is

>> > what

>> >> makes the vulnerability to attack, no vulnerability in the code, the

>> > attack

>> >> point doesn't exist.

>> >>

>> >> --

>> >> MEB

>> >> http://peoplescounsel.orgfree.com

>> >> --

>> >> _________

>> >>

>> >> "Jim" <invalid@example.invalid> wrote in message

>> >> news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

>> >> | Isn't FFv.x.x a shell technology that rides on top of windows

> explorer?

>> > If

>> >> | the internet browser is vulnerable, what about explorer?

>> >> |

>> >>

>> >

>>

>

June 21, 2008

Re: FIREFOX 3.0 and lower vulnerability

Here is some information about the vulnerability from secunia ---

Currently, Firefox users are looking at a July 1, 2008

http://wiki.mozilla.org/Releases/Firefox_2.0.0.15

"MEB" wrote:

> Ah, okay, but then you do understand that Explorer is the graphical

> interface to {most} of Windows GUI aspects. I see your point though.

> Try using Dependency Walker on IExplore, C:\Program Files\Mozilla

> Firefox\firefox.exe, and a few other programs. Profile them ...

> If your feeling like you want the *big picture*, run filemon and/or regmon

> while you do this activity... after you run through those, open some of your

> favorite programs also while running filemon/regmon..

>

> So that still doesn't explain your original question. The code error is in

> Firefox, the vulnerability is fixed if/when that code is fixed. IS Explorer

> vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the unfixed

> Firefox running which supplies/provides the vulnerability.

>

> --

> MEB

> --

> _________

>

> "Jim" <invalid@example.invalid> wrote in message

> news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...

> | If you look at MS Autoruns with MS entries showing and then not. You will

> | see that the software [*.dll] running the MSIE is Windows Explorer. The IE

> | is also just a shell.

> | "MEB" <meb@not here@hotmail.com> wrote in message

> | news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...

> | > Not quite sure what the question relates too.. the code for Firefox is

> | what

> | > makes the vulnerability to attack, no vulnerability in the code, the

> | attack

> | > point doesn't exist.

> | >

> | > --

> | > MEB

> | > http://peoplescounsel.orgfree.com

> | > --

> | > _________

> | >

> | > "Jim" <invalid@example.invalid> wrote in message

> | > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

> | > | Isn't FFv.x.x a shell technology that rides on top of windows

> explorer?

> | If

> | > | the internet browser is vulnerable, what about explorer?

> | > |

> | >

> |

>

June 21, 2008

Re: FIREFOX 3.0 and lower vulnerability

Thanks for the links, but is that version FREE of the vulnerability to your

knowledge?

--

MEB

| http://secunia.com/advisories/30761/

--

_________

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:DCA38CC2-D287-4521-B8C4-AF1B7BEFA2F8@microsoft.com...

| Here is some information about the vulnerability from secunia ---

|

|

| Currently, Firefox users are looking at a July 1, 2008

|

| http://wiki.mozilla.org/Releases/Firefox_2.0.0.15

|

| "MEB" wrote:

|

| > Ah, okay, but then you do understand that Explorer is the graphical

| > interface to {most} of Windows GUI aspects. I see your point though.

| > Try using Dependency Walker on IExplore, C:\Program Files\Mozilla

| > Firefox\firefox.exe, and a few other programs. Profile them ...

| > If your feeling like you want the *big picture*, run filemon and/or

regmon

| > while you do this activity... after you run through those, open some of

your

| > favorite programs also while running filemon/regmon..

| >

| > So that still doesn't explain your original question. The code error is

in

| > Firefox, the vulnerability is fixed if/when that code is fixed. IS

Explorer

| > vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the unfixed

| > Firefox running which supplies/provides the vulnerability.

| >

| > --

| > MEB

| > --

| > _________

| >

| > "Jim" <invalid@example.invalid> wrote in message

| > news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...

| > | If you look at MS Autoruns with MS entries showing and then not. You

will

| > | see that the software [*.dll] running the MSIE is Windows Explorer.

The IE

| > | is also just a shell.

| > | "MEB" <meb@not here@hotmail.com> wrote in message

| > | news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...

| > | > Not quite sure what the question relates too.. the code for Firefox

is

| > | what

| > | > makes the vulnerability to attack, no vulnerability in the code, the

| > | attack

| > | > point doesn't exist.

| > | >

| > | > --

| > | > MEB

| > | > http://peoplescounsel.orgfree.com

| > | > --

| > | > _________

| > | >

| > | > "Jim" <invalid@example.invalid> wrote in message

| > | > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

| > | > | Isn't FFv.x.x a shell technology that rides on top of windows

| > explorer?

| > | If

| > | > | the internet browser is vulnerable, what about explorer?

| > | > |

| > | >

| > |

| >

June 21, 2008

Re: FIREFOX 3.0 and lower vulnerability

The new updated version has not been released yet and I think it should be

free from the vulnerability because Mozilla pushed the release date back a

few days and my guess is that the reason was because of this vulnerability.

The big problem is that Mozilla Firefox has this highly critical

vulnerability and it appears the new version of Opera is problematic for some

users so that leaves Internet Explorer or some other lesser known browser for

users to more safely use. I would caution users to be careful what browsers

they download because there are always people out there that will try and

take advantage of the situation and have browsers that do not work well or

worse are spyware or malware infested.

"MEB" wrote:

> Thanks for the links, but is that version FREE of the vulnerability to your

> knowledge?

>

> --

> MEB

> | http://secunia.com/advisories/30761/

> --

> _________

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:DCA38CC2-D287-4521-B8C4-AF1B7BEFA2F8@microsoft.com...

> | Here is some information about the vulnerability from secunia ---

> |

> |

> | Currently, Firefox users are looking at a July 1, 2008

> |

> | http://wiki.mozilla.org/Releases/Firefox_2.0.0.15

> |

> | "MEB" wrote:

> |

> | > Ah, okay, but then you do understand that Explorer is the graphical

> | > interface to {most} of Windows GUI aspects. I see your point though.

> | > Try using Dependency Walker on IExplore, C:\Program Files\Mozilla

> | > Firefox\firefox.exe, and a few other programs. Profile them ...

> | > If your feeling like you want the *big picture*, run filemon and/or

> regmon

> | > while you do this activity... after you run through those, open some of

> your

> | > favorite programs also while running filemon/regmon..

> | >

> | > So that still doesn't explain your original question. The code error is

> in

> | > Firefox, the vulnerability is fixed if/when that code is fixed. IS

> Explorer

> | > vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the unfixed

> | > Firefox running which supplies/provides the vulnerability.

> | >

> | > --

> | > MEB

> | > http://peoplescounsel.orgfree.com

> | > --

> | > _________

> | >

> | > "Jim" <invalid@example.invalid> wrote in message

> | > news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...

> | > | If you look at MS Autoruns with MS entries showing and then not. You

> will

> | > | see that the software [*.dll] running the MSIE is Windows Explorer.

> The IE

> | > | is also just a shell.

> | > | "MEB" <meb@not here@hotmail.com> wrote in message

> | > | news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...

> | > | > Not quite sure what the question relates too.. the code for Firefox

> is

> | > | what

> | > | > makes the vulnerability to attack, no vulnerability in the code, the

> | > | attack

> | > | > point doesn't exist.

> | > | >

> | > | > --

> | > | > MEB

> | > | > http://peoplescounsel.orgfree.com

> | > | > --

> | > | > _________

> | > | >

> | > | > "Jim" <invalid@example.invalid> wrote in message

> | > | > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

> | > | > | Isn't FFv.x.x a shell technology that rides on top of windows

> | > explorer?

> | > | If

> | > | > | the internet browser is vulnerable, what about explorer?

> | > | > |

> | > | >

> | > |

> | >

>

June 21, 2008

Re: FIREFOX 3.0 and lower vulnerability

Thanks Dan, keep us posted on the outcome...

--

MEB

--

_________

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:C241B07A-73CB-402C-803E-216C4FC7C4C7@microsoft.com...

| The new updated version has not been released yet and I think it should be

| free from the vulnerability because Mozilla pushed the release date back a

| few days and my guess is that the reason was because of this

vulnerability.

| The big problem is that Mozilla Firefox has this highly critical

| vulnerability and it appears the new version of Opera is problematic for

some

| users so that leaves Internet Explorer or some other lesser known browser

for

| users to more safely use. I would caution users to be careful what

browsers

| they download because there are always people out there that will try and

| take advantage of the situation and have browsers that do not work well or

| worse are spyware or malware infested.

|

| "MEB" wrote:

|

| > Thanks for the links, but is that version FREE of the vulnerability to

your

| > knowledge?

| >

| > --

| > MEB

| > --

| > _________

| >

| > "Dan" <Dan@discussions.microsoft.com> wrote in message

| > news:DCA38CC2-D287-4521-B8C4-AF1B7BEFA2F8@microsoft.com...

| > | Here is some information about the vulnerability from secunia ---

| > |

| > | http://secunia.com/advisories/30761/

| > |

| > | Currently, Firefox users are looking at a July 1, 2008

| > |

| > | http://wiki.mozilla.org/Releases/Firefox_2.0.0.15

| > |

| > | "MEB" wrote:

| > |

| > | > Ah, okay, but then you do understand that Explorer is the graphical

| > | > interface to {most} of Windows GUI aspects. I see your point though.

| > | > Try using Dependency Walker on IExplore, C:\Program Files\Mozilla

| > | > Firefox\firefox.exe, and a few other programs. Profile them ...

| > | > If your feeling like you want the *big picture*, run filemon and/or

| > regmon

| > | > while you do this activity... after you run through those, open some

of

| > your

| > | > favorite programs also while running filemon/regmon..

| > | >

| > | > So that still doesn't explain your original question. The code

error is

| > in

| > | > Firefox, the vulnerability is fixed if/when that code is fixed. IS

| > Explorer

| > | > vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the

unfixed

| > | > Firefox running which supplies/provides the vulnerability.

| > | >

| > | > --

| > | > MEB

| > | > http://peoplescounsel.orgfree.com

| > | > --

| > | > _________

| > | >

| > | > "Jim" <invalid@example.invalid> wrote in message

| > | > news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...

| > | > | If you look at MS Autoruns with MS entries showing and then not.

You

| > will

| > | > | see that the software [*.dll] running the MSIE is Windows

Explorer.

| > The IE

| > | > | is also just a shell.

| > | > | "MEB" <meb@not here@hotmail.com> wrote in message

| > | > | news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...

| > | > | > Not quite sure what the question relates too.. the code for

Firefox

| > is

| > | > | what

| > | > | > makes the vulnerability to attack, no vulnerability in the code,

the

| > | > | attack

| > | > | > point doesn't exist.

| > | > | >

| > | > | > --

| > | > | > MEB

| > | > | > http://peoplescounsel.orgfree.com

| > | > | > --

| > | > | > _________

| > | > | >

| > | > | > "Jim" <invalid@example.invalid> wrote in message

| > | > | > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

| > | > | > | Isn't FFv.x.x a shell technology that rides on top of windows

| > | > explorer?

| > | > | If

| > | > | > | the internet browser is vulnerable, what about explorer?

| > | > | > |

| > | > | >

| > | > |

| > | >

| >

June 21, 2008

Re: FIREFOX 3.0 and lower vulnerability

Your welcome. I will let you know anything more that I find out about the

vulnerability affecting Mozilla Firefox.

"MEB" wrote:

> Thanks Dan, keep us posted on the outcome...

>

> --

> MEB

http://www.us-cert.gov/cas/bulletins/SB08-175.html

> --

> _________

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:C241B07A-73CB-402C-803E-216C4FC7C4C7@microsoft.com...

> | The new updated version has not been released yet and I think it should be

> | free from the vulnerability because Mozilla pushed the release date back a

> | few days and my guess is that the reason was because of this

> vulnerability.

> | The big problem is that Mozilla Firefox has this highly critical

> | vulnerability and it appears the new version of Opera is problematic for

> some

> | users so that leaves Internet Explorer or some other lesser known browser

> for

> | users to more safely use. I would caution users to be careful what

> browsers

> | they download because there are always people out there that will try and

> | take advantage of the situation and have browsers that do not work well or

> | worse are spyware or malware infested.

> |

> | "MEB" wrote:

> |

> | > Thanks for the links, but is that version FREE of the vulnerability to

> your

> | > knowledge?

> | >

> | > --

> | > MEB

> | > http://peoplescounsel.orgfree.com

> | > --

> | > _________

> | >

> | > "Dan" <Dan@discussions.microsoft.com> wrote in message

> | > news:DCA38CC2-D287-4521-B8C4-AF1B7BEFA2F8@microsoft.com...

> | > | Here is some information about the vulnerability from secunia ---

> | > |

> | > | http://secunia.com/advisories/30761/

> | > |

> | > | Currently, Firefox users are looking at a July 1, 2008

> | > |

> | > | http://wiki.mozilla.org/Releases/Firefox_2.0.0.15

> | > |

> | > | "MEB" wrote:

> | > |

> | > | > Ah, okay, but then you do understand that Explorer is the graphical

> | > | > interface to {most} of Windows GUI aspects. I see your point though.

> | > | > Try using Dependency Walker on IExplore, C:\Program Files\Mozilla

> | > | > Firefox\firefox.exe, and a few other programs. Profile them ...

> | > | > If your feeling like you want the *big picture*, run filemon and/or

> | > regmon

> | > | > while you do this activity... after you run through those, open some

> of

> | > your

> | > | > favorite programs also while running filemon/regmon..

> | > | >

> | > | > So that still doesn't explain your original question. The code

> error is

> | > in

> | > | > Firefox, the vulnerability is fixed if/when that code is fixed. IS

> | > Explorer

> | > | > vulnerable,, ah I suppose so,,, buuuuuutttttt, not without the

> unfixed

> | > | > Firefox running which supplies/provides the vulnerability.

> | > | >

> | > | > --

> | > | > MEB

> | > | > http://peoplescounsel.orgfree.com

> | > | > --

> | > | > _________

> | > | >

> | > | > "Jim" <invalid@example.invalid> wrote in message

> | > | > news:uKGXq3n0IHA.552@TK2MSFTNGP06.phx.gbl...

> | > | > | If you look at MS Autoruns with MS entries showing and then not.

> You

> | > will

> | > | > | see that the software [*.dll] running the MSIE is Windows

> Explorer.

> | > The IE

> | > | > | is also just a shell.

> | > | > | "MEB" <meb@not here@hotmail.com> wrote in message

> | > | > | news:O3vUFon0IHA.5728@TK2MSFTNGP06.phx.gbl...

> | > | > | > Not quite sure what the question relates too.. the code for

> Firefox

> | > is

> | > | > | what

> | > | > | > makes the vulnerability to attack, no vulnerability in the code,

> the

> | > | > | attack

> | > | > | > point doesn't exist.

> | > | > | >

> | > | > | > --

> | > | > | > MEB

> | > | > | > http://peoplescounsel.orgfree.com

> | > | > | > --

> | > | > | > _________

> | > | > | >

> | > | > | > "Jim" <invalid@example.invalid> wrote in message

> | > | > | > news:uqq6ypm0IHA.3884@TK2MSFTNGP05.phx.gbl...

> | > | > | > | Isn't FFv.x.x a shell technology that rides on top of windows

> | > | > explorer?

> | > | > | If

> | > | > | > | the internet browser is vulnerable, what about explorer?

> | > | > | > |

> | > | > | >

> | > | > |

> | > | >

> | >

>

June 24, 2008

Re: FIREFOX 3.0 and lower vulnerability

There is not much new information on the vulnerability yet but this might be

of interest to you and others from us-cert.

<this page includes the weeks' vulnerabilities that include the Mozilla

Firefox vulnerability>

Mozilla -- Firefox

Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack

vectors. NOTE: due to lack of details as of 20080619, it is not clear whether

this is the same issue as CVE-2008-2785. A CVE identifier has been assigned

for tracking purposes.

unknown

2008-06-19

10.0

CVE-2008-2786

FULLDISC

BID

"MEB" wrote:

> Thanks Dan, keep us posted on the outcome...

June 24, 2008

Re: FIREFOX 3.0 and lower vulnerability

Again, thanks Dan, continue to keep us informed.

--

MEB

| http://www.us-cert.gov/cas/bulletins/SB08-175.html

--

_________

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:2DD538BB-EA02-4E68-A625-555BD2330C50@microsoft.com...

| There is not much new information on the vulnerability yet but this might

be

| of interest to you and others from us-cert.

|

|

| <this page includes the weeks' vulnerabilities that include the Mozilla

| Firefox vulnerability>

|

| Mozilla -- Firefox

|

| Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack

| vectors. NOTE: due to lack of details as of 20080619, it is not clear

whether

| this is the same issue as CVE-2008-2785. A CVE identifier has been

assigned

| for tracking purposes.

| unknown

| 2008-06-19

| 10.0

| CVE-2008-2786

| FULLDISC

| BID

|

| <feel free to browse the page but unfortunately no new information yet>

|

| "MEB" wrote:

|

| > Thanks Dan, keep us posted on the outcome...

|

| <snipped due to length>

June 28, 2008

Re: FIREFOX 3.0 and lower vulnerability

The final release date now is July 2, 2008. I know many of want the patched

version now but we must be patient for it to be released and also to be fully

stable. I am guessing it may now even be pushed back again to July 3, 2008

due to the complexities of implementing this patch for this unknown

vulnerability.

June 28, 2008

Re: FIREFOX 3.0 and lower vulnerability

Actually, a least one or two more were found, which may be what is taking so

long...

--

MEB

--

_________

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:7046D656-F32D-44AD-9B3B-9D48374AE7F8@microsoft.com...

| <snipped due to length>

|

| The final release date now is July 2, 2008. I know many of want the

patched

| version now but we must be patient for it to be released and also to be

fully

| stable. I am guessing it may now even be pushed back again to July 3,

2008

| due to the complexities of implementing this patch for this unknown

| vulnerability.

June 29, 2008

Re: FIREFOX 3.0 and lower vulnerability

Thanks for letting me know, MEB.

"MEB" wrote:

> Actually, a least one or two more were found, which may be what is taking so

> long...

>

> --

> MEB