Mozilla fixes potential DoS flaws in firefox

By Bill Brenner, Senior News Writer 31 May 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Mozilla has released updated versions of its popular Firefox browser, fixing security flaws attackers could exploit to access sensitive information, cause a denial of service or run malicious code on targeted machines. For Firefox 1.5 users, this is the final update.

"As part of the Firefox 2.0.0.4 and 1.5.0.12 update releases Mozilla developers fixed many bugs to improve the stability of the product," Mozilla said in an advisory. "We presume that with enough effort at least some of these [flaws] could be exploited to run arbitrary code."

Mozilla update: Mozilla to issue its final Firefox 1.5 fix: Mozilla is nudging users to make the switch to version 2.0.

The French Security Incident Response Team (FrSIRT) said in an advisory that the first problem is a series of memory corruption errors in the layout and JavaScript engines when malformed data is parsed. Attackers could exploit this to crash a vulnerable application or run malicious code. The second problem is an error within the autocomplete feature when overly long text fields are processed. Malicious Web sites could exploit this to crash an affected browser or exhaust all available memory resources, causing a denial of service.

Mozilla also fixed input validation errors in how cookie path and name values are processed, which attackers could exploit to cause a denial of service; and weakness in the APOP authentication that could allow attackers to access sensitive information.

Also fixed was an error in the "nsEventReceiverSH::AddEventListenerHelper()" [nsDOMClassInfo.cpp] function attackers could exploit to bypass the browser's same-origin policy and access or modify data from arbitrary sites by tricking a user into visiting a specially crafted Web page.

Finally, Mozilla fixed an error in how XUL popups are handled. Attackers could exploit this to spoof or hide parts of the browser chrome such as the location bar.

This is the final security update for Firefox 1.5. Mozilla will now nudge users to make the switch to Firefox 2.0.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary