Ultimately,
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
the attacker could take complete control of the targeted machine. Mozilla urged users to upgrade to Firefox versions 1.5.0.9 or 2.0.0.1. The latter version is for those who recently upgraded to Firefox 2.0.
According to the Mozilla bulletins, the vulnerabilities are:
- Several errors in the layout and JavaScript engine attackers could exploit to corrupt system memory and launch malicious code.
- An error that occurs when the CPU's floating point precision is reduced. This could happen on Windows machines when the user loads a plug-in creating a Direct3D device. Doing so could prevent the "js_dtoa()" function from exiting, leading to memory corruption.
- A Windows bitmap boundary error attackers could exploit to cause a heap-based buffer overflow.
- An error in the "watch()" JavaScript function attackers could exploit to launch malicious code.
- An error in LiveConnect that causes an already freed object to be used. Attackers could exploit this to launch malicious code.
- An error in how the "src" attribute of IMG elements are loaded into a frame. Attackers could exploit this to change the attribute to a "javascript:" URI. They could then launch malicious HTML and script code in a user's browser session.
- An error in how SVG comment objects are handled. Attackers could exploit this to corrupt system memory and launch malicious code.
- A condition in which the "Feed Preview" feature of Firefox 2.0 may leak feed-browsing habits to Web sites when retrieving the icons of installed Web-based feed viewers.
- A function prototype regression in Firefox 2.0 attackers could exploit to launch malicious HTML and script code in a user's browser session.