Homeland Secure IT Alert for Tuesday, December 14, 2010 In an effort to keep the Firefox browser secure, updates have been released that address multiple vulnerabilities. If you are using the 3.5.x or 3.6.x versions of the popular browser on Microsoft Windows, Linux or Apple Mac, you should insure your browser is up to date immediately to 3.5.16 or 3.6.13 respectively. Failure to do so could allow an attacker to execute code on your computer, regardless of the operating system. I have attached the announcement from the WatchGuard security ML below: — December Firefox Update Corrects a Bunch of Critical VulnerabilitiesSeverity: Medium13 December, 2010 Summary:
Exposure:Last week, Mozilla released a Firefox update fixing 13 (count based on CVE number) vulnerabilities in their popular multi-platform web browser. Mozilla rates most of these vulnerabilities as critical; meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.12 vulnerabilities below:
Mozilla’s alert describes many more critical vulnerabilities, most of which allow attackers to execute code simply by enticing you to a malicious web page. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.13 fixes. On a related note, some of these vulnerabilities also affect Firefox 3.5.x. If you use 3.5.x, we recommend you move to 3.6.13. However, if you must stay with 3.5.x, Mozilla has also released an update for that legacy version as well. Solution Path:Mozilla has released Firefox 3.6.13 and 3.5.16, to correct these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.13 as soon as possible. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.16. Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists. As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable JavaScript (and other active scripts) by default. For All Users:This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution. Status:The Mozilla Foundation has released Firefox 3.6.13 to fix these vulnerabilities. References:This alert was researched and written by Corey Nachreiner, CISSP. What did you think of this alert? Let us know at your.opinion.matters@watchguard.com. More alerts and articles: log into the LiveSecurity Archive. — WatchGuard manufactures a wide range of network security appliances / firewalls that can help protect your business from malicious attacks, reduce spam, keep you within compliance and give you peace of mind. We offer the full WatchGuard line of products for sale and provide support. For more information, email info@homelandsecureit.com or call 864.990.4748. If you would like a free consultation, please contact us today! |