Security Management Strategies for the CIOMozilla Foundation issued updates to Firefox repairing flaws that could allow cybercriminals to conduct URL spoofing attacks and other errors that could potentially expose sensitive information.
Requires Free Membership to View
 |
||||
|
|
|||
|
||||
All five advisories were issued Wednesday, including three updates labeled critical. Firefox version 3.0.7 addresses critical flaws in the browser's PNG library. The library is used by Mozilla to display compressed PNG graphics files. The flaws could be used by an attacker to crash the browser and execute arbitrary code. In order for the flaws to be exploited, a user must browse to a malicious website, Mozilla said.
Mozilla fixed an error allowing a hacker to decode control characters in the location bar. If exploited, the attacker could display a misleading URL to a malicious Web page in the browser bar and steal sensitive data from users such as passwords and account information.
|
||||
|
|
|||
|
||||
Mozilla's garbage collection process, which deletes unneeded objects, contains a critical vulnerability. "After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed," Mozilla said. Thunderbird is also vulnerable to the flaw if JavaScript is enabled in email.
Critical stability flaws were also repaired in the browser engine. The bugs, which caused Firefox to crash, showed evidence of memory corruption.
"We presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said.
In addition, a browser error that could allow an attacker to steal XML data from another domain was plugged, Mozilla said. A malicious website could allow an attacker to steal private data from users authenticated to the redirected website.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation