• Roadmap
• Projects
• Coding
  • Module Owners
  • Hacking
  • Get the Source
  • Build It
• Testing
  • Releases
  • Nightly Builds
  • Report A Problem
• Tools
  • Bugzilla
  • Tinderbox
  • Bonsai
  • LXR
• FAQs

Security Center

Whether you're using the Web or checking your email, you care about your security and privacy. In the Mozilla project we understand the importance of security. Here you will find alerts and announcements on security and privacy issues, general tips for surfing the Web and using email more securely, more information about how we maintain and enhance the security of our products, and useful links for Web developers.

On this page:

• Security Alerts & Announcements
• Tips for Secure Browsing
• Tips for Using Email Securely
• For Developers: Contacting Mozilla

Security Alerts & Announcements

Complete list of known vulnerabilities fixed in Mozilla product releases.

Mozilla Firefox 1.0.7 Update Available (September 21, 2005) All users should upgrade to Firefox 1.0.7, a security update to Firefox 1.0. Users can download Firefox from the download page.

Security Advisory (September 21, 2005) The Mozilla Foundation is aware of the Linux.RST.b virus that infected Linux Korean contributed versions of Mozilla Suite 1.7.6 and Thunderbird 1.0.2, as reported by Kaspersky Lab. No versions of Mozilla Firefox were infected. Infected files have been removed from the Mozilla ftp mirror network as of September 17.

Mozilla recommends to our Korean users who have downloaded affected products to run an AntiVirus product on their machine to scan for the Linux.RST.b virus and delete infected files. Further information about the Linux.RST.b virus can be found here: http://us.mcafee.com/virusInfo/default.asp?id=description&virus;_k=99978

Security Advisory (September 9, 2005) The Mozilla Foundation is aware of a potentially critical security vulnerability in Mozilla and Firefox browsers' support for IDN, as reported publicly on September 8. There are currently no known active exploits of this vulnerability although a "proof of concept" has been reported. To protect yourself against this exploit, follow these instructions.

Mozilla Firefox 1.0.5 Update Available (July 12, 2005) All users should upgrade to Firefox 1.0.5, a security update to Firefox 1.0. Users can download Firefox from the download page.

Mozilla Firefox 1.0.4 Update Available (May 11, 2005) All users should upgrade to Firefox 1.0.4, a security update to Firefox 1.0. Users can download Firefox from the download page.

Security Advisory (May 8, 2005) The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7. There are currently no known active exploits of these vulnerabilities although a "proof of concept" has been reported. Changes to the Mozilla Update Web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves today by temporarily disabling JavaScript.

For more information about the vulnerabilities, see the advisory. Further information including the availability of updates will be posted at www.mozilla.org.

Mozilla Firefox 1.0.3 and Mozilla 1.7.7 Updates Available (April 15, 2005) All users should upgrade to Firefox 1.0.3, a security update to Firefox 1.0. Users can download Firefox from the download page or use Firefox's built-in update mechanism. Mozilla 1.7.7 is also now available here.

Mozilla Foundation Announces Availability of Firefox 1.0.2 (March 23, 2005) All users should upgrade to Firefox 1.0.2 which includes several security fixes. Users can download Firefox from the download page or use Firefox's built-in update mechanism.

Updates to Mozilla Thunderbird and Mozilla 1.7 Released (March 21, 2005) All users should upgrade to Mozilla Thunderbird 1.0.2 and Mozilla 1.7.6. Users can download Thunderbird from the download page. Users can download Mozilla 1.7.6 here.

Mozilla Foundation Announces Update to Firefox (February 24, 2005) All users should upgrade to Firefox 1.0.1, a security update to Firefox 1.0. Users can download Firefox from the download page or use Firefox's built-in update mechanism.

Mozilla Foundation Announces Important Security Update (October 1, 2004) The Mozilla Foundation releases an important security update for Firefox. All users should upgrade to the latest version of the Firefox Preview Release. A patch is available for current Preview Release users. More information and download links are available in the announcement.

Mozilla Foundation Announces First Security Bug Bounty Payments, Security Fixes (September 14, 2004) The Mozilla Foundation today announced the first payments as part of its Security Bug Bounty Program and security improvements in the new Firefox Preview Release, Thunderbird 0.8, and Mozilla 1.7.3. Please see the list of known vulnerabilities for details.

Internet Security Systems, Inc. (ISS) reported buffer overflow vulnerabilities in all known releases of the Network Security Services (NSS) library suite.
(August 2004) Updates are available for server products that use NSS

Updates to Mozilla 1.7, Firefox 0.9, Thunderbird 0.7 to fix security vulnerabilities
(August 4, 2004) The Mozilla applications have been updated to fix several security issues, including some vulnerabilities recently mentioned in the press.

Security Bug Bounty Program announcement
(August 2, 2004)

Announcement on Security Issues
(August 2, 2004)

shell:Protocol security Issue
(July 7, 2004) The shell:Protocol security vulnerability affects the Mozilla Application Suite, Firefox, and Thunderbird. Download the latest versions or learn how to patch your current version to fix this problem.

Tips for Secure Browsing

• Always use the most current version of your browser.
• Check for the "lock" icon on the status bar that shows that you are on a secured web site. Also check that the URL begins with "https" in the location bar when making transactions online.
• In the Tools menu of Firefox, Tools > Options > Privacy, you can clear your information with one click of a button. This is especially useful when using a computer in a public location.
• Perform transactions (like shopping or submitting personal information) at sites that are well established and that are familiar to you. If you're not familiar with a site, make sure that the site has a privacy policy and information about the site's security measures.

Tips for Using Email Securely

• Be aware that it is extremely easy for someone to forge an email message to make it appear as if the message has been sent by your bank, a software vendor (e.g., Microsoft), or another entity with whom you do business. If a message requests that you send your password or other private information, or asks that you run or install an attached file, then it is very likely that the message is not legitimate. When in doubt, just mark the message as "junk" and delete it.
• Be cautious when clicking on links sent to you in email messages. If you do click on such a link, double-check the name of the site as shown in the location bar of the browser, and be especially careful if the site name displayed is an IP address (e.g., "192.168.25.75") instead of a domain name (e.g., "www.example.com"); in the former case it is very likely the site is not legitimate. Don't enter any personal information into forms displayed at such a site, and if you have any concerns whatsoever about your security, just close the browser window.

For Developers: Contacting Mozilla

Report security-related bugs and learn more about how we secure our products:

• If you believe that you've found a Mozilla-related security vulnerability, please report it by sending email to the address security@mozilla.org. Note that your report may be eligible for a reward; see below.
• For more information on how to report security vulnerabilities and how the Mozilla community will respond to such reports, see our policy for handling security bugs.
• We want to make Firefox, Thunderbird, the Mozilla Suite, and other Mozilla products as secure as possible, and want to encourage research, study, timely disclosure, and rapid fixing of any serious security vulnerabilities. We've established a Security Bug Bounty Program to reward people who help us reach that objective.
• We encourage you to learn more about our Mozilla security projects and participate in the development of security features and capabilities in our products.

Press Contact: Mary Colvig, 650-762-2820; Judi Palmer, 650-762-2812, or send mail to press@mozilla.org.

---