Mozilla fixes cross-site-scripting flaws

The latest update also phases out support of Firefox 2.

Mozilla issued an update fixing several dangerous cross-site-scripting (XSS) flaws that could allow an attacker...

to run malicious code and gain access to critical system files.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The flaws can be found in versions 2 and 3 of the Firefox browser. Firefox 3.0.5 fixes an XSS flaw in SessionStore, a session restore feature, which contains an error that could be manipulated to inject malicious code into the browser.

A serious JavaScript privilege escalation flaw was also repaired including a JavaScript syntax error that could be used by a malicious website to steal private data from users who are authenticated on the redirected website, Mozilla said in its advisory.

Danish vulnerability clearinghouse Secunia gave the flaws a highly critical rating. In its advisory, Secunia said some of the errors addressed by Mozilla allow an attacker to bypass cookie settings and identify specific users in browsing sessions.

In addition, Mozilla announced that it is dropping support of FireFox 2. The latest security update will be the last for the older version of the browser. Phishing protection, which communicates with Google to identify possible phishing sites is also being dropped in Firefox 2. Mozilla is urging users to upgrade to the latest version.

Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: