Mozilla fixes several Firefox flaws

Article

Mozilla fixes several Firefox flaws

Bill Brenner, Senior News Writer

Mozilla has updated its Firefox browser to close seven different security holes, capping off a busy week for IT administrators who've had to deal with Microsoft's monthly patch release and security fixes

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

for Apple QuickTime and Adobe Flash Player.

Mozilla released Firefox 1.5.0.7 to address flaws that could expose systems to man-in-the-middle, spoofing and cross-site scripting attacks.

Danish vulnerability clearinghouse Secunia described the flaws its advisory:

  • The first problem is in how Firefox handles JavaScript regular expressions containing a minimal quantifier. Attackers could exploit the flaw to cause a heap-based buffer overflow and launch malicious code.

  • The second problem is that users might accept an unverifiable self-signed certificate when visiting a Web site, which could allow an attacker to redirect the update check to a malicious Web site in a man-in-the-middle attack.

  • The third problem are time-dependent errors that surface during text display that could be exploited to corrupt memory and launch malicious code.

  • The fourth problem exists within the verification of certain signatures in the bundled Network Security Services (NSS) library.

  • The fifth problem is an error in cross-domain handling that could be exploited to inject arbitrary HTML and script code in a sub-frame of another Web site via a "[window].frames[index].document.open()" call.

  • The sixth problem is an error that appears in certain situations when blocked popups are opened incorrectly from the status bar via the "blocked popups" function. This could be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary Web site.

  • The seventh problem involves some unspecified memory corruption errors that could be exploited to launch malicious code.