Archive for March 26th, 2009

A Firefox 3.0.8 "high-priority fire drill security update" is on its way, likely to be released by the middle of next week (April the 1st at most, jokes aside). The reason is an emergency patch for a critical vulnerability irresponsibly disclosed by Guido Landi. I feel a bit guilty about it because Mr. Landi is Italian like me -- not that here in Italy we lack reasons for being ashamed...

Beware the PoC: it will crash Firefox on Windows, Linux and Mac OS X even if you've got NoScript. However this crashing bug, like the vast majority of them, is not exploitable if you've got JavaScript and other active content disabled on the attacker site, because reliable exploitation requires scripting to "spray the heap", i.e. to inject the malicious payload at the right places of your memory for execution.
Therefore you can easily survive until the automatic update kicks in, if you don't mind the possibility of an annoying but not dangerous crash (thanks, session restore!) ;)

On a side note, it's time to update Java as well: yet another bunch of critical vulnerabilities, several of them exploitable in your browser. Business as usual...

Important updates here.

Bad Behavior has blocked 927 access attempts in the last 7 days.