Mozilla fixes potential DoS flaws in firefox

By Bill Brenner, Senior News Writer 31 May 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Mozilla has released updated versions of its popular Firefox browser, fixing security flaws attackers could exploit to access sensitive information, cause a denial of service or run malicious code on targeted machines. For Firefox 1.5 users, this is the final update.

"As part of the Firefox 2.0.0.4 and 1.5.0.12 update releases Mozilla developers fixed many bugs to improve the stability of the product," Mozilla said in an advisory. "We presume that with enough effort at least some of these [flaws] could be exploited to run arbitrary code."

Mozilla update: Mozilla to issue its final Firefox 1.5 fix: Mozilla is nudging users to make the switch to version 2.0.

The French Security Incident Response Team (FrSIRT) said in an advisory that the first problem is a series of memory corruption errors in the layout and JavaScript engines when malformed data is parsed. Attackers could exploit this to crash a vulnerable application or run malicious code. The second problem is an error within the autocomplete feature when overly long text fields are processed. Malicious Web sites could exploit this to crash an affected browser or exhaust all available memory resources, causing a denial of service.

Mozilla also fixed input validation errors in how cookie path and name values are processed, which attackers could exploit to cause a denial of service; and weakness in the APOP authentication that could allow attackers to access sensitive information.

Also fixed was an error in the "nsEventReceiverSH::AddEventListenerHelper()" [nsDOMClassInfo.cpp] function attackers could exploit to bypass the browser's same-origin policy and access or modify data from arbitrary sites by tricking a user into visiting a specially crafted Web page.

Finally, Mozilla fixed an error in how XUL popups are handled. Attackers could exploit this to spoof or hide parts of the browser chrome such as the location bar.

This is the final security update for Firefox 1.5. Mozilla will now nudge users to make the switch to Firefox 2.0.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary