Afternoon Update To This Post: Shortly after we posted this, late in the afternoon on Wednesday, Mozilla did issue the 3.0.1 fix for Firefox that is discussed here. It is available if you have Firefox 3, by clicking on Check for Updates in the browser’s Help menu. As of 4:50 PST on Wednesday, Mozilla has not yet issued the update for Thunderbird.
Are you a user of Firefox, Thunderbird or SeaMonkey? If so, Mozilla has just issued two critical security advisories for these applications, one found here, and another found here. Funny thing is, though, as PCMag.com’s blog is reporting, you can only get fixed versions of some of the applications affected, not all of them. What’s up with that?
In Security Advisory 2008-34, Mozilla officials say “an anonymous researcher, via TippingPoint’s Zero Day Initiative program, reported a vulnerability in Mozilla’s internal CSSValue array data structure.” Specifically, an attacker could use this vulnerability to run arbitrary code on a user’s computer. Mozilla then goes on to list the versions of its applications that have a fix for the problem above: Firefox 3.0.1, Firefox 126.96.36.199, Thunderbird 188.8.131.52, and SeaMonkey 1.1.11.
In Security Advisory 2008-35, Mozilla reports a bug titled “Command-line URLs launch multiple tabs when Firefox not running.” It then reports that this problem is fixed in these versions of its applications: Firefox 3.0.1, Firefox 184.108.40.206.
The trouble here is that more than one of these “fixed” versions are not available from Mozilla yet. The latest version of Firefox 3.x is version 3.0, not the “fixed” version 3.0.1. Mozilla has released Firefox 220.127.116.11 and users of version 2 should download and install it. Likewise, you can get the “fixed” version of SeaMonkey here. However, the latest version of Thunderbird is 18.104.22.168 not the “fixed” version with the .16 suffix.
Come on Mozilla, this is very weak, and security is a primary reason why many people use Firefox in the first place. Either patches should be available when these vulnerabilities are found, or realistic workarounds should be. I had to laugh at Mozilla’s suggested workaround for the problem in the second advisory, which is copied verbatim here: “This attack only works if the user is using another Internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack.”
That’s what I’ll do. I’ll run Firefox every minute of every day, never shutting down, to stay safe from hackers.