David Burgess wrote: > On Tue, 2005-05-10 at 18:47 -0400, [KS] wrote: > > >>Here is the official security advisory link from mozilla.org >>http://www.mozilla.org/security/announce/mfsa2005-42.html >> >>You should be fine as long as you haven't added any website to the >>whitelist to install software except the official update website. >> >>/KS >> > > > Not so. From the "Workaround" section of the advisory: > > "4. Click the "Remove All Sites" button" > > The problem is that any site can install software as long as there is at > least a single site on the whitelist. You are vulnerable until you clear > the whitelist completely. > > dB > > Ref: http://www.mozillazine.org/talkback.html?article=6590
"In a standard Firefox installation, only the Mozilla Update sites (update.mozilla.org and addons.mozilla.org) are on the whitelist by default. This has allowed the Mozilla Foundation to apply a server-side change that prevents attackers from exploiting the code execution flaw using its systems. Therefore, **if you have not added any additional sites to the whitelist**, you are not at risk from the code execution exploit and have not been since yesterday. However, you will still be vulnerable to the less serious JavaScript injection flaw." /KS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
