Firefox 2.0.0.6
Firefox 2.0.0.6 was released this week. Neither Fedora or Red Hat Enterprise Linux will see this version. Here is why.
This update fixes these two flaws:
MFSA 2007-27 Unescaped URIs passed to external programs
MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows
The reason the Mozilla Foundation released this update was primarily to address MFSA 2007-27. This is a rather serious flaw regarding to how Firefox hands URIs to external helper programs. This flaw does not affect Linux as helper applications are launched in an understood and controlled manner. The other flaw, MFSA 2007-26, is a rather minor flaw that has been rated as being of moderate severity. It involves how certain Firefox extensions create new windows. In general this flaw is harmless and upstream wanted to fix it since it was a regression from the 2.0.0.5 update.
A lot happens behind the scenes anytime there is an update of Firefox, Thunderbird, and Seamonkey. Apart from a great deal of developer and QA time, this translates into lost time for users as well. Vast quantities of bandwith are consumed to download the updates, then the various plugins must be updated. It was decided that it would be a great disservice to the users to squander the available recourses for an update they don't need.
Obviously, if you run Firefox on Windows, you best get this update, as the flaw is rather serious there.
Hacking via IPS Signatures
An Intrusion Prevention System (IPS) is supposed to stop malicious attacks from ever happening. In general most security researchers worth their salt feel these systems are a waste of time and money. They fall into the classification of security theater, or something that doesn't actually make you more secure, it makes you think you are more secure.
An article on
Dark Reading claims something that has been suspected, but unproved, for a very long time about IPS vendors. Their 0day vulnerability signatures, aren't very 0day. One of the ways IPS vendors try to add value is to include currently unknown vulnerabilities they discovered. The way this works is they acquire information about a security flaw, create an IPS signature for it, add the signature to their product, then tell the vendor. The article from Dark Reading suggests that attackers are using the signatures to figure out what the vulnerability is, then leveraging the fact that it's not fixed in the vendors product.
How this will be handled by various vendors is now a vary real question that needs to be addressed. We shall see where it goes.
