![]() (Bug 585028)Users who had passwords less than 6 characters long couldn't log in. (Bug 584414)Typing something like "P1-5" in the quicksearch box should have been searching the Priority field, but it was not. (Bug 590144)Searching for bugs "with at least X votes" was instead returning bugs with exactly that many votes. (Bug 591218)Saving a search with either of the deadline fields set to "Now" would cause that deadline field to be removed from the saved search. See the Security Advisory for details.In addition, the following important fixes/changes have been made in this release:Clicking the "Submit only my new comment" button on the mid-air collision page will no longer result in a "Form field longdesclength was not defined" error. This release fixes various important security issues. If it's good enough for Red Hat, Gnome and even NASA, then it shows what an excellent bug tracking tool Bugzilla is. While many development tracking tools are complicated and end up creating more work than they save, Bugzilla keeps everything clean and simple. The overall usability of Bugzilla is what impresses the most. For example, you can add options such as activating email alerts for when changes are made, and set levels of permissions for who can access what. Then from the remaining dlls, rename the PoC to each DLL and try to reproduce.As you'd expect from a Mozilla product, Bugzilla is extremely customizable. We should use procmon to see which dlls are loaded, and then subtract out the safe dlls from that list. The test is the same as the one we did for installer on each platform. Ideally we should test this on XPx86, XP圆4, Vistax86, Vista圆4, Win7x86, Win7圆4, and Win8x86, win8圆4. ![]() The issue is reproducible even without the service, but it's easiest to reproduce as per the original instructions in comment 0. We can do that as a precaution inside a different bug though. These attacks are for delay loaded dlls which are not in the safe list of dlls on some platforms. SetDLLDirectory wouldn't fix this, we don't call LoadLibrary. Also on second thought we don't need to check maintenanceservice because no one can put a dll next to it since it's already in a high integrity location. ![]() Yup, updater is not a new component, I only suggested we check maintenanceservice at the same time, but the report is not for maintenanceservice. The cryptsp.dll from the system directory should be loaded. Kill the calc.exe to finish the "update". The fake "cryptsp.dll" executes system("calc") in DLLMain so you will see a calc.exe and a cmd.exe running with system rights in the process list. Sc start MozillaMaintenance MozillaMaintenance software-update "C:\Users\Ash\Desktop\poc\updater.exe" "C:\Users\Ash\Desktop\poc" "C:\Program Files (x86)\Mozilla Firefox\updated" -1 Sc start MozillaMaintenance MozillaMaintenance software-update -1 I have attached a poc to perfom an update of 18.0 to 18.0 (feature or bug?) which I have tested on win7 pro 32bit and 64bit with Firefox 18.0.ġ.) Download the poc and extract the files.Ģ.) Download " " and save the file as "update.mar" in the poc directory. ![]() The exe loads the cryptsp.dll from the update directory while perfoming an update. Besides fixed Bug 750850 the updater.exe in FF 18.0 is vulnerable to a LoadLibrary-based attack. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |