"A pair of unpatched vulnerabilities in Mozilla's Firefox Web browser -- rated as "extremely critical" by one security firm -- could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla said Sunday. Because proof-of-concept code has been leaked -- as were the vulnerabilities -- before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions" or themes, from Web sites." http://news.yahoo.com/news?tmpl=story&u=/c...c_cmp/163100381
Thanks for forwarding this, Don. I've switched off the "Allow Downloads" in my Firefox 1.0.3 version. (Though Firefox has always asked me first re: I want to download updates first.) As with any of these articles, I wonder on the validity of the research -- are they being alarmist, etc. However, this looks pretty solid. Appreciate you alerting us!
The fix has landed! Firefox 1.0.4 is now available. There was some confusion earlier about a nightly release being called the final version . . . but this is it. My "About Firefox" says 1.0.4 http://www.mozilla.org/ What's New 1.0.4 Firefox 1.0.4 is a security update that is part of our ongoing program to provide a safe Internet experience for our customers. We recommend that all users upgrade to this latest version. Here's what's new in Firefox 1.0.4: * Several security fixes. * Fix to DHTML errors encountered at some web sites. For web developers, learn more. Gee, how long did that fix take? A couple of days! Firefox Rules!!!
