this was in an earlier version of @risk newsletter: (November 5th 2007) @RISK: The Consensus Security Vulnerability Alert Vol. 6 No. 45
(4) HIGH: Mozilla Firefox Arbitrary Script Execution Vulnerability Affected: Mozilla Firefox versions 2.0.0.8 and prior Description: Mozilla Firefox contains a vulnerability in its handling of JavaScript. A specially crafted web page could bypass domain restrictions an allow an attacker to execute arbitrary JavaScript in a security domain different from that in which it was loaded. This could allow an attacker to alter the user interface or potentially execute arbitrary code with the privileges of the current user. Some technical details and a proof-of-concept are available for this vulnerability. Additionally, technical details may be available via source code analysis. Other Mozilla products, such as Thunderbird and SeaMonkey may also be affected. Status: Mozilla has not confirmed, no updates available. References: Posting by The Hacker Webzine http://www.0x000000.com/index.php?i=465 Proof-of-Concept http://downloads.securityfocus.com/vulnerabilities/exploits/26283.html SecurityFocus BID http://www.securityfocus.com/bid/26283 It's not confirmed though, 2.0.0.9 is just a stability update: Firefox 2.0.0.9 stability update now available for download Nevertheless, it's widely used as a default browser, Ubuntu should support a stability update in order to be more efficient. Or at least put it in backports :) -- upgrade to firefox 2.0.0.9 https://bugs.launchpad.net/bugs/160895 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
