Mozilla repairs URL spoofing, memory corruption flaws in Firefox

Vulnerabilities causing browser instability and memory corruption errors could be exploited by attackers to access sensitive information.

Mozilla Foundation issued updates to Firefox repairing flaws that could allow cybercriminals to conduct URL spoofing attacks and other errors that could potentially expose sensitive information.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

All five advisories were issued Wednesday, including three updates labeled critical. Firefox version 3.0.7 addresses critical flaws in the browser's PNG library. The library is used by Mozilla to display compressed PNG graphics files. The flaws could be used by an attacker to crash the browser and execute arbitrary code. In order for the flaws to be exploited, a user must browse to a malicious website, Mozilla said.

Mozilla fixed an error allowing a hacker to decode control characters in the location bar. If exploited, the attacker could display a misleading URL to a malicious Web page in the browser bar and steal sensitive data from users such as passwords and account information.

Mozilla updates:

Firefox 3.0.6 - Firefox version 3.0.6 update fixes dangerous flaws: Version 3.0.6 fixes several memory corruption errors and cross-site scripting flaws that could be exploited by an attacker to gain access to critical files.

Firefox 3.0.5 -
Mozilla fixes cross-site-scripting flaws: The latest update also phases out support of Firefox 2.

Mozilla's garbage collection process, which deletes unneeded objects, contains a critical vulnerability. "After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed," Mozilla said. Thunderbird is also vulnerable to the flaw if JavaScript is enabled in email.

Critical stability flaws were also repaired in the browser engine. The bugs, which caused Firefox to crash, showed evidence of memory corruption.

"We presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said.

In addition, a browser error that could allow an attacker to steal XML data from another domain was plugged, Mozilla said. A malicious website could allow an attacker to steal private data from users authenticated to the redirected website.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close