Article

Firefox update blocks proof-of-concept code

SearchSecurity.com Staff

Mozilla Foundation issued an update to its Firefox browser over the weekend, blocking proof-of-concept code released last week that exploited an unresolved critical bug.

Firefox 3.0.8, released Saturday, plugs a hole exploited

    Requires Free Membership to View

by a researcher at the CanSecWest 2009 Pwn2Own contest. It also blocks a XML tag remote memory corruption vulnerability. Mozilla said both vulnerabilities could be exploited by tricking a user to visit a Web page containing malicious code.
Mozilla updates:
Firefox 3.0.7 - Mozilla repairs URL spoofing, memory corruption flaws in Firefox: Vulnerabilities causing browser instability and memory corruption errors could be exploited by attackers to access sensitive information.

Firefox 3.0.6 -
Firefox version 3.0.6 update fixes dangerous flaws: Version 3.0.6 fixes several memory corruption errors and cross-site scripting flaws that could be exploited by an attacker to gain access to critical files.

Firefox 3.0.5 - Mozilla fixes cross-site-scripting flaws: The latest update also phases out support of Firefox 2.

A bug in Firefox's garbage collection routine allows an attacker to exploit a process to access previously destroyed objects. The technique was used by a security researcher during the Pwn2Own contest, sponsored by TippingPoint's Zero Day Initiative. It causes the browser to crash and allows an attacker to run arbitrary code on a victim's computer, Mozilla said.

At the contest, The German security researcher exploited vulnerabilities in Firefox, Apple's Safari browser and Microsoft Internet Explorer 8. He was awarded $15,000 from the Zero Day Initiative.

A second flaw in the way the browserprocesses Extensible Stylesheet Language (XSL) could also crash the browser and allow an attacker to run arbitrary code. Mozilla said it expedited the update to block proof-of-concept exploit code that appeared on the Milw0rm.com website.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: