All Firefox users are urged to update to Firefox 39.0.3
http://www.theregister.co.uk/2015/08/07 ... ln_exploit
[quote]
On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients.
On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass
All Firefox users are urged to update to Firefox 39.0.3
-
darry1966
-
perdido
- Posts: 1528
- Joined: Mon 09 Dec 2013, 16:29
- Location: ¿Altair IV , Just north of Eeyore Junction.?
Code: Select all
Mozilla products which don't contain the PDF Viewer, such as Firefox for Android, remain unaffected by the vuln..
-
darry1966
Not at the moment it isn't : on Linux & Windows current version of ESR is #31 ...darry1966 wrote:Current version of firefox esr is at 38.1.1 so should be patched for this according to the article.
- Attachments
-
- ''up to date' 'ESR on August 9th 2015 is 31-8-0.png
- (47.74 KiB) Downloaded 689 times
If I got this right, a remote hacker uses the browser's pdf.js reader,
In Edit --> Preferences --> Applications --> PDF change to always ask
In about: config use search term pdf
newer FF versions have a "disable auto fetch" listing: set this to true
pdfjs.disabled true
pdfjs.firstRun false
pdfjs.previousHandler.alwaysAskBeforeHandling true
There are other settings with numeric values that support.mozilla does not enlighten.
This routine will cause D/L of the file, or open with... thus a bit dodgy IF D/L option taken.
Editted 8/18/15
In Edit --> Preferences --> Applications --> PDF change to always ask
In about: config use search term pdf
newer FF versions have a "disable auto fetch" listing: set this to true
pdfjs.disabled true
pdfjs.firstRun false
pdfjs.previousHandler.alwaysAskBeforeHandling true
There are other settings with numeric values that support.mozilla does not enlighten.
This routine will cause D/L of the file, or open with... thus a bit dodgy IF D/L option taken.
Editted 8/18/15
Last edited by 8Geee on Tue 18 Aug 2015, 11:10, edited 1 time in total.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
-
perdido
- Posts: 1528
- Joined: Mon 09 Dec 2013, 16:29
- Location: ¿Altair IV , Just north of Eeyore Junction.?
Thats how I read it.8Geee wrote:If I got this right, a remote hacker uses the browser's pdf.js reader,
To clarify; In Edit > Preferences > Applications change Content Type > PDF file to Always Ask8Geee wrote:In Edit Preferences change to always ask
Good Stuff, doing what you recommend will allow people to keep using their browser safely without upgrading.8Geee wrote:In about: config use search term pdf
pdfjs.disabled true
pdfjs.firstRun false
pdfjs.previousHandler.alwaysAskBeforeHandling true
There are other settings with numeric values that support.mozilla does not enlighten.
This routine will cause D/L of the file, or click X to cancel... thus a bit dodgy.
One other thing, it is a good idea to install the NoScript Add-on to Firefox and Seamonkey. https://noscript.net/
.
-
OscarTalks
- Posts: 2196
- Joined: Mon 06 Feb 2012, 00:58
- Location: London, England
As I understand it, because ESR's are Extended Support Releases there is always an overlap of the "current" version.Barkin wrote:current version of ESR is #31 ...
The current release with the highest number is indeed 38.1.1 which was released very recently replacing 38.1.0, presumably patching the exploit.
The 31.x.x version if still supported (and if someone is acutally maintaining it) should also have any important patches applied to it.
The Mozilla website offers a choice of ESR 38 or 31 to download.
Be aware though that if you are using one of those builds with no updater (such as the Slackware releases) you may find that the "About Firefox" window will report the version as up to date when in fact it is not. Latest version of 31 does appear to be 31.8.0 though.
Oscar in England
-
darry1966
Have downloaded latest and there was an option to download 31 as well I chose 38.1.1 so yeah there is a choice anyway thanks for the pdf settings tips regarding internal viewer.
- Attachments
-
- 2015081014391430281280x800.png
- (134.14 KiB) Downloaded 250 times
I am not aware of the advantages of using the ESR version of FF, can someone please elaborate on that?
I am using FF 39.0, and independent of version, I always set the prefs to ask for a pdf reader, as I always use Xpdf.
I also have the extension Disable Hello, Pocket & Reader+ 0.4.2 installed, would that be of any help?
In the list of pdf.js's below, are there any other values that should be toggled?
tallboy
BTW: I never accept automatic updates of any kind
I am using FF 39.0, and independent of version, I always set the prefs to ask for a pdf reader, as I always use Xpdf.
I also have the extension Disable Hello, Pocket & Reader+ 0.4.2 installed, would that be of any help?
In the list of pdf.js's below, are there any other values that should be toggled?
tallboy
BTW: I never accept automatic updates of any kind
- Attachments
-
- from_about-config.jpg
- (51.73 KiB) Downloaded 572 times
True freedom is a live Puppy on a multisession CD/DVD.
tallboy
Common sense tells me to set pdfjs.disableAutoFetch to TRUE.
edit:
You asked about other things including Pocket
Use the search term pocket in about config
Completely disable it. (M$ Wallet clone !)
Ditto Hello!
Common sense tells me to set pdfjs.disableAutoFetch to TRUE.
edit:
You asked about other things including Pocket
Use the search term pocket in about config
Completely disable it. (M$ Wallet clone !)
Ditto Hello!
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
