It will also feature more applications, including an Access-like database creator, a flowcharter, and an image manipulation tool. Shouldn't be too hard; most of this capability exists as individual apps already. For example, the could probably implement code from the following fairly well-regarded entries listed on the KDE Apps site:
-- QCad
-- -- for flowcharting (if supplied with pre-defined shapes)
It should be noted that a careful reading of the advisory does not make any mention of the vulnerability being related to the use of Firefox per se, but rather to the use of QuickTime in conjunction with Firefox.
The vulnerability allows an attacker to use a specially crafted QuickTime object to launch the default browser within Windows. This implies that the initial vulnerability resides within QuickTime, and is supported by the following: ... QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser... This vulnerability is compounded, however, by the ability to launch the browser with arbitrary command line options. For example, an attacker could theoretically launch an instance of Firefox (presuming it was the default browser) and use the
-chrome switch to execute scripts that could spoof a browser user interface. For example, portions of the real Firefox interface could be hidden and a counterfeit section rendered, in conjunction with a cloned web page that shows
https://signin.ebay.com/ws/eBayISAPI.dll?SignIn when in reality the person is really logging into
http://www.my-identity-theft-site.tld The ability to execute scripts from the command line was probably a feature, at least initially, but when the ramifications became clearer MFSA 2007-23 was issued and the capability removed. QuickTime bypasses this fix.
It is very likely that the code to execute said scrips exists in most, if not all, Firefox 2.0.0.6/operating system combinations.
It's the hole in QuickTime that makes the hole in Firefox more easily exploitable. On Linux this point is moot, since Apple has not yet released an official version of QuickTime for Linux.
However, if you're adventurous and would like to build your own Linux box with all bleeding-edge components, you could try the guidelines posted on the "Linux From Scratch" website (not an endorsement, just a place to start):
Why wouldn't it come with the latest version of Firefox, 2.0.0.7?
Because the people who compile and package the distro from source need to draw a line somewhere, and test for proper functionality with what they have.
If they kept updating distro packages every time a minor thing changes before release, there would never be time for any real testing, and overall quality would suffer.
Slashdot Mirror
-- QCad
-- -- for flowcharting (if supplied with pre-defined shapes)
-- Pixel
-- -- for painting/photo manipulation
-- Kexi
-- -- for Access-style database management
(Items for illustration purposes only; not an endorsement of any particular package.)
It should be noted that a careful reading of the advisory does not make any mention of the vulnerability being related to the use of Firefox per se, but rather to the use of QuickTime in conjunction with Firefox.
The vulnerability allows an attacker to use a specially crafted QuickTime object to launch the default browser within Windows. This implies that the initial vulnerability resides within QuickTime, and is supported by the following:
-chrome switch to execute scripts that could spoof a browser user interface. For example, portions of the real Firefox interface could be hidden and a counterfeit section rendered, in conjunction with a cloned web page that shows
https://signin.ebay.com/ws/eBayISAPI.dll?SignIn when in reality the person is really logging into
http://www.my-identity-theft-site.tld The ability to execute scripts from the command line was probably a feature, at least initially, but when the ramifications became clearer MFSA 2007-23 was issued and the capability removed. QuickTime bypasses this fix.
It is very likely that the code to execute said scrips exists in most, if not all, Firefox 2.0.0.6/operating system combinations.
It's the hole in QuickTime that makes the hole in Firefox more easily exploitable. On Linux this point is moot, since Apple has not yet released an official version of QuickTime for Linux.
However, if you're adventurous and would like to build your own Linux box with all bleeding-edge components, you could try the guidelines posted on the "Linux From Scratch" website (not an endorsement, just a place to start):
http://www.linuxfromscratch.org/
Why wouldn't it come with the latest version of Firefox, 2.0.0.7?
Because the people who compile and package the distro from source need to draw a line somewhere, and test for proper functionality with what they have.
If they kept updating distro packages every time a minor thing changes before release, there would never be time for any real testing, and overall quality would suffer.
... Blue Site of Death ...
... Big Sucky Online Database...
... Bill's Stealing Our DNA...
... Balmer's Surgical Orgy of Darkness...
Needless to say, this is a bad idea.
Oops, sorry, someone else beat me to it...
Needless to say, this is a bad idea.