Mozilla issues fixes for Firefox, SeaMonkey and Thunderbird

By Bill Brenner, Senior News Writer 20 Dec 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Ultimately, the attacker could take complete control of the targeted machine. Mozilla urged users to upgrade to Firefox versions 1.5.0.9 or 2.0.0.1. The latter version is for those who recently upgraded to Firefox 2.0.

Mozilla Firefox: Firefox antiphishing feature beats Internet Explorer in Mozilla test Firefox, IE flaw could expose passwords Firefox fans unfazed by IE 7 Security Blog Log: Dissecting Firefox 2.0 What if Firefox were the target?

According to the Mozilla bulletins, the vulnerabilities are:

• Several errors in the layout and JavaScript engine attackers could exploit to corrupt system memory and launch malicious code.
• An error that occurs when the CPU's floating point precision is reduced. This could happen on Windows machines when the user loads a plug-in creating a Direct3D device. Doing so could prevent the "js_dtoa()" function from exiting, leading to memory corruption.
• A Windows bitmap boundary error attackers could exploit to cause a heap-based buffer overflow.
• An error in the "watch()" JavaScript function attackers could exploit to launch malicious code.
• An error in LiveConnect that causes an already freed object to be used. Attackers could exploit this to launch malicious code.
• An error in how the "src" attribute of IMG elements are loaded into a frame. Attackers could exploit this to change the attribute to a "javascript:" URI. They could then launch malicious HTML and script code in a user's browser session.
• An error in how SVG comment objects are handled. Attackers could exploit this to corrupt system memory and launch malicious code.
• A condition in which the "Feed Preview" feature of Firefox 2.0 may leak feed-browsing habits to Web sites when retrieving the icons of installed Web-based feed viewers.
• A function prototype regression in Firefox 2.0 attackers could exploit to launch malicious HTML and script code in a user's browser session.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary