Article

Mozilla fixes cross-site-scripting flaws

SearchSecurity.com Staff

Mozilla issued an update fixing several dangerous cross-site-scripting (XSS) flaws that could allow an attacker to run malicious code and gain access to critical system files.

    Requires Free Membership to View

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The flaws can be found in versions 2 and 3 of the Firefox browser. Firefox 3.0.5 fixes an XSS flaw in SessionStore, a session restore feature, which contains an error that could be manipulated to inject malicious code into the browser.

A serious JavaScript privilege escalation flaw was also repaired including a JavaScript syntax error that could be used by a malicious website to steal private data from users who are authenticated on the redirected website, Mozilla said in its advisory.

Danish vulnerability clearinghouse Secunia gave the flaws a highly critical rating. In its advisory, Secunia said some of the errors addressed by Mozilla allow an attacker to bypass cookie settings and identify specific users in browsing sessions.

In addition, Mozilla announced that it is dropping support of FireFox 2. The latest security update will be the last for the older version of the browser. Phishing protection, which communicates with Google to identify possible phishing sites is also being dropped in Firefox 2. Mozilla is urging users to upgrade to the latest version.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: