Critical Firefox flaws addressed by Mozilla

Article

Critical Firefox flaws addressed by Mozilla

Mozilla released an updated version of its Firefox browser, fixing critical security flaws that could be exploited by attackers to gain access to sensitive information, cause a denial of service or execute arbitrary code.

The flaws have been addressed in Firefox version 2.0.0.5, which will automatically update for most users. Mozilla's last

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Firefox update was in May, when it patched several critical vulnerabilities.

Mozilla's MFSA 2007-18 advisory addresses a critical memory corruption which could result in 32 separate crash conditions. The issues could be exploited by an attacker to execute arbitrary code. Mozilla Thunderbird, which also uses Firefox has also been updated to correct the issues.

Firefox update:
May - Mozilla fixes Firefox flaws: Firefox versions 2.0.0.4 and 1.5.0.12 fix flaws attackers could exploit to do a variety of damage. Mozilla says this is the final update for Firefox 1.5.

Who patches better: Microsoft or Mozilla? In this interview, Window Snyder, Mozilla's security chief, discusses the vendors patching strategy and compares it to Microsoft's update plan.

"Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images," Mozilla said in its advisory.

The MFSA 2007-19 advisory addresses a timing issue when using 'addEventLstener' or 'setTimeout.' Mozilla said the timing issue could result in cross-site-scripting and cross-domain attacks. MFSA 2007-20 addresses a low-impact frame spoofing issue, which could allow the injection of content into about:blank frames in a page.

Mozilla's MFSA 2007-21 advisory addresses an event handling error that could lead to arbitrary code execution. Mozilla said the flaw could be used by a remote attacker to gain access to the browser.

MFSA 2007-22 through MFSA 2007-24 address a critical issue which could allow remote code execution by launching Firefox from Internet Explorer, a less critical file extension error and a high-impact wyciwyg:// documents error.

"The vulnerability is exposed when a user browses to a malicious web page in Internet Explorer and clicks on a specially crafted link," Mozilla said in its advisory. "That link causes Internet Explorer to invoke another Windows program via the command line and then pass that program the URL from the malicious webpage without escaping the quotes."

The MFSA 2007-25 advisory addresses a flaw in the XPC native wrapper that could be modified by an attacker to gain browser access.

The updates prompted Symantec to issue a vulnerability alert to its customers advising them to upgrade to the latest version. Symantec said an attacker could steal cookie-based authentication credentials, launch denial-of-service attacks and ultimately compromise the browser.

"To exploit most of the described vulnerabilities, an attacker must either host a malicious website or send malicious HTML email to unsuspecting users," Symantec said in its advisory.