新书推介:《语义网技术体系》
作者:瞿裕忠,胡伟,程龚
   >>中国XML论坛<<     W3CHINA.ORG讨论区     计算机科学论坛     SOAChina论坛     Blog     开放翻译计划     新浪微博  
 
  • 首页
  • 登录
  • 注册
  • 软件下载
  • 资料下载
  • 核心成员
  • 帮助
  •   Add to Google

    >> 最新的技术动态
    [返回] 中文XML论坛 - 专业的XML技术讨论区休息区『 最新动态 & 业界新闻 』 → Mozilla patches 9 Firefox bugs, adds plug-in crash protection 查看新帖用户列表

      发表一个新主题  发表一个新投票  回复主题  (订阅本版) 您是本帖的第 5460 个阅读者浏览上一篇主题  刷新本主题   树形显示贴子 浏览下一篇主题
     * 贴子主题: Mozilla patches 9 Firefox bugs, adds plug-in crash protection 举报  打印  推荐  IE收藏夹 
       本主题类别:     
     卷积内核 帅哥哟,离线,有人找我吗?
      
      
      威望:8
      头衔:总统
      等级:博士二年级(版主)
      文章:3942
      积分:27590
      门派:XML.ORG.CN
      注册:2004/7/21

    姓名:(无权查看)
    城市:(无权查看)
    院校:(无权查看)
    给卷积内核发送一个短消息 把卷积内核加入好友 查看卷积内核的个人资料 搜索卷积内核在『 最新动态 & 业界新闻 』的所有贴子 访问卷积内核的主页 引用回复这个贴子 回复这个贴子 查看卷积内核的博客楼主
    发贴心情 Mozilla patches 9 Firefox bugs, adds plug-in crash protection

    Mozilla on Tuesday patched nine vulnerabilities, six of them critical, in Firefox 3.6 and Firefox 3.5.

    But rather than highlighting the security fixes in Firefox 3.6.4, the company instead emphasized the addition of crash protection, a move meant to keep the browser alive when popular plug-ins drop dead.

    Updates to Firefox 3.6.4 and Firefox 3.5.10 fixed nine flaws for each version, although the total patch count came to 10 because two fixes affected only one of the pair.

    Six of the nine vulnerabilities for each browser were rated "critical," Mozilla's highest threat ranking, indicating that hackers could use them to compromise a system running Firefox, then plant other malware on the machine.

    Two were labeled "moderate," the second-lowest rating, while one was tagged as "low."

    One of the critical flaws was reported to Mozilla by Nils, a German research who only goes by his first name.

    Nils gained fame by winning cash prizes at the last two annual Pwn2Own hacking contests, sponsored by HP TippingPoint's Zero Day Initiative bug bounty program.

    Last March, Nils took home $10,000 by sidestepping DEP (data execution prevention) and ASLR (address space layout randomization) in Windows 7 to exploit the then-current Firefox 3.6.2.

    It was Nils' second Pwn2Own victory; last year he grabbed $15,000 by exploiting not only Firefox, but also Safari and IE8.

    Mozilla also marked a clutch of bugs in the browser and JavaScript engines as critical, although it only assumed the flaws could be exploited.

    "Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said, using boilerplate language it often inserts into browser or JavaScript engine security advisories.

    But Mozilla wanted all eyes on Firefox 3.6.4 for a different reason. "Results from our beta testing show Firefox 3.6.4 will significantly reduce the number of Firefox crashes experienced by users who are watching online videos or playing games," said Christian Legnitto, who oversees the Firefox releases, in a post to Mozilla's blog.

    "When a plug-in crashes or freezes while using Firefox, users can enjoy uninterrupted browsing by simply refreshing the page," he said.

    Firefox 3.6.4 currently recovers only from crashes of Adobe's Flash Player, Apple's QuickTime and Microsoft's Silverlight plug-ins, and is available only in Firefox for Windows and Linux. The company is still working on the feature, which it has dubbed "out of process plug-ins," or OOPP, for the Mac version.

    Mozilla has had an eye on Flash for OOPP treatment because Adobe's software has been responsible for more Firefox crashes than any other plug-in, according to the company.

    It has also worked other features into Firefox to deal with problems in that plug-in, and others. Last year, for example, Mozilla kicked off plug-in checking, a feature that determines whether a user is running an outdated, and possibly vulnerable, plug-in, by focusing on Flash.

    A keystone of the "Lorenz" project -- a move by Mozilla to quickly add features to Firefox via regular security updates rather than waiting for bigger upgrades -- OOPP was designed as a stop-gap measure for Firefox 3.6 when work on the full-scale "Electrolysis" process separation project was shifted to Firefox 4, a major update currently scheduled to ship by the end of 2010.

    The addition of OOPP led to several delays of Firefox 3.6.4, which at one point was slated for an early May release, then pushed to June 1 and beyond.

    Mozilla has no plans to add OOPP to the older Firefox 3.5 line, it said in an FAQ on the new crash protection feature.

    Users can update to Firefox 3.6.4 by downloading the new edition or by selecting "Check for Updates" from the Help menu in the browser. Firefox 3.5 can obtain the patches by calling up the integrated update tool.

    Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter


       收藏   分享  
    顶(0)
      




    ----------------------------------------------
    事业是国家的,荣誉是单位的,成绩是领导的,工资是老婆的,财产是孩子的,错误是自己的。

    点击查看用户来源及管理<br>发贴IP:*.*.*.* 2010/6/23 10:25:00
     
     GoogleAdSense
      
      
      等级:大一新生
      文章:1
      积分:50
      门派:无门无派
      院校:未填写
      注册:2007-01-01
    给Google AdSense发送一个短消息 把Google AdSense加入好友 查看Google AdSense的个人资料 搜索Google AdSense在『 最新动态 & 业界新闻 』的所有贴子 访问Google AdSense的主页 引用回复这个贴子 回复这个贴子 查看Google AdSense的博客广告
    2024/11/21 20:52:47

    本主题贴数1,分页: [1]

    管理选项修改tag | 锁定 | 解锁 | 提升 | 删除 | 移动 | 固顶 | 总固顶 | 奖励 | 惩罚 | 发布公告
    W3C Contributing Supporter! W 3 C h i n a ( since 2003 ) 旗 下 站 点
    苏ICP备05006046号《全国人大常委会关于维护互联网安全的决定》《计算机信息网络国际联网安全保护管理办法》
    62.500ms