Mozilla has released updated versions of its popular Firefox browser, fixing security flaws attackers could exploit to access sensitive information, cause a denial of service or run malicious code on targeted machines. For Firefox 1.5 users, this is the final update.
"As part of the Firefox 220.127.116.11 and 18.104.22.168 update releases Mozilla developers fixed many bugs to improve the stability of the product," Mozilla said in an advisory. "We presume that with enough effort at least some of these [flaws] could be exploited to run arbitrary code."
Mozilla also fixed input validation errors in how cookie path and name values are processed, which attackers could exploit to cause a denial of service; and weakness in the APOP authentication that could allow attackers to access sensitive information.
Also fixed was an error in the "nsEventReceiverSH::AddEventListenerHelper()" [nsDOMClassInfo.cpp] function attackers could exploit to bypass the browser's same-origin policy and access or modify data from arbitrary sites by tricking a user into visiting a specially crafted Web page.
Finally, Mozilla fixed an error in how XUL popups are handled. Attackers could exploit this to spoof or hide parts of the browser chrome such as the location bar.
This is the final security update for Firefox 1.5. Mozilla will now nudge users to make the switch to Firefox 2.0.