Mozilla repairs URL spoofing, memory corruption flaws in Firefox

Article

Mozilla repairs URL spoofing, memory corruption flaws in Firefox

Mozilla Foundation issued updates to Firefox repairing flaws that could allow cybercriminals to conduct URL spoofing attacks and other errors that could potentially expose sensitive information.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

All five advisories were issued Wednesday, including three updates labeled critical. Firefox version 3.0.7 addresses critical flaws in the browser's PNG library. The library is used by Mozilla to display compressed PNG graphics files. The flaws could be used by an attacker to crash the browser and execute arbitrary code. In order for the flaws to be exploited, a user must browse to a malicious website, Mozilla said.

Mozilla fixed an error allowing a hacker to decode control characters in the location bar. If exploited, the attacker could display a misleading URL to a malicious Web page in the browser bar and steal sensitive data from users such as passwords and account information.

Mozilla updates:

Firefox 3.0.6 - Firefox version 3.0.6 update fixes dangerous flaws: Version 3.0.6 fixes several memory corruption errors and cross-site scripting flaws that could be exploited by an attacker to gain access to critical files.

Firefox 3.0.5 - Mozilla fixes cross-site-scripting flaws: The latest update also phases out support of Firefox 2.

Mozilla's garbage collection process, which deletes unneeded objects, contains a critical vulnerability. "After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed," Mozilla said. Thunderbird is also vulnerable to the flaw if JavaScript is enabled in email.

Critical stability flaws were also repaired in the browser engine. The bugs, which caused Firefox to crash, showed evidence of memory corruption.

"We presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said.

In addition, a browser error that could allow an attacker to steal XML data from another domain was plugged, Mozilla said. A malicious website could allow an attacker to steal private data from users authenticated to the redirected website.