Wednesday, September 15, 2004
There's a critical Mozilla and Firefox update today
Yep -- a high risk security problem in the alternatives to Microsoft Internet Explorer.
Unfortunately they're harder to upgrade than IE. Check first whether you need to. From the Help menu, choose About. For Mozilla, you're safe if the version number shown is 1.7.3. For Firefox, look for 1.0PR. If it's anything else, you need to upgrade.
Here's the unpleasant part. The authors recommend uninstalling first and then installing fresh. I've gotten away with reinstalling over an existing installation but that's not supposed to work.
So download the installer for the new version (from the Mozilla page or the Firefox page), quit the browser, go to Start/Settings/Control Panel/Add/remove Programs, select the entry for your browser, click Remove. Then run the installer from wherever you downloaded it to.
Your bookmarks and saved passwords should survive this process. You may want to check the help files for how to back them up. You'll have to reinstall any extensions you added.
The changes fix several problems. The most dangerous was just like the recent Internet Explorer problem where viewing a maliciously built image file could take over your computer. Others involved email: a specially built "vcard" business card attachment could cause damage, as could some kinds of toxic email. Dragging links from one location to another could bypass security (just like another recent Internet Explorer problem). Another bug allowed a hostile program to change the contents of a security warning dialog.
If you can't upgrade immediately, the short-term and inadequate defenses are
It's getting to the point that I and other security professionals are tempted to recommend having two computers, one for important work and another disposable one for web surfing and email, and not networking the two.
|
Unfortunately they're harder to upgrade than IE. Check first whether you need to. From the Help menu, choose About. For Mozilla, you're safe if the version number shown is 1.7.3. For Firefox, look for 1.0PR. If it's anything else, you need to upgrade.
Here's the unpleasant part. The authors recommend uninstalling first and then installing fresh. I've gotten away with reinstalling over an existing installation but that's not supposed to work.
So download the installer for the new version (from the Mozilla page or the Firefox page), quit the browser, go to Start/Settings/Control Panel/Add/remove Programs, select the entry for your browser, click Remove. Then run the installer from wherever you downloaded it to.
Your bookmarks and saved passwords should survive this process. You may want to check the help files for how to back them up. You'll have to reinstall any extensions you added.
The changes fix several problems. The most dangerous was just like the recent Internet Explorer problem where viewing a maliciously built image file could take over your computer. Others involved email: a specially built "vcard" business card attachment could cause damage, as could some kinds of toxic email. Dragging links from one location to another could bypass security (just like another recent Internet Explorer problem). Another bug allowed a hostile program to change the contents of a security warning dialog.
If you can't upgrade immediately, the short-term and inadequate defenses are
- Just Say "No": if you get asked to install software unexpectedly, decline.
- Stay out of bad neighborhoods on the Web
- Don't drag a link from one place to another
- Consider using the Opera browser, until someone finds a horrible problem there too.
It's getting to the point that I and other security professionals are tempted to recommend having two computers, one for important work and another disposable one for web surfing and email, and not networking the two.
# posted by Frederick @ 2:08 PM Email to a friend:
Haloscan: they provide trackback