I had mentioned the other night on my Firefox 2.0 RC1 Update entry two bug (353264 & 353266) reports I could not access due to not having a high enough authorization level. Today in mozilla links » Firefox vulnerability disclosed at ToorCon 2006:
During hacker convention ToorCon 2006, speakers Mischa Spiegelmock and Andrew Wbeelsoi presented how a current Firefox vulnerability could be exploited to gain control of a web visitor’s computer. The example exploits a flaw in Mozilla’s JavaScript implementation. An attacker would need to craft a specially coded web page and would take control once an unknowingly visitor get to the site.
SecuriTeam has pointed to 3 reported bugs (currently closed to the public) in Mozilla’s Bugzilla database as the cause of the announced vulnerability.
Well, that would explain why I could not get into those two bug reports. Not sure about the third one though, it was not in Friday’s RC2 bug list. In a way I am glad Mozilla is taking the precaution of keeping these bugs ‘classified’ and yet letting us know there is an issue and they are correcting it. The good news is these vulnerabilities will be fixed with tonight’s nightly build, However, for those running the regular RC1 release the update will not be available until RC2 comes out, possibly on Friday.
Blogged with Flock