Firefox version 3.0.6 update fixes dangerous flaws

By SearchSecurity.com Staff 04 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Mozilla released the latest version of its popular Firefox browser, repairing memory corruption errors and cross-site scripting vulnerabilities that could be exploited by an attacker to run malicious code.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Firefox version 3.0.6 includes six advisories, one rated critical, fixing errors in Firefox, Thunderbird and SeaMonkey.

The most critical flaws were several stability fixes to the browser engine, patching memory corruption errors. The layout and JavaScript engines contain flaws that could be exploited "under certain circumstances," Mozilla said.

Thunderbird is also affected by the JavaScript engine flaws if JavaScript is enabled in mail. Mozilla advises users to turn off JavaScript in mail.

Firefox updates: Mozilla fixes cross-site-scripting flaws: Firefox 3.0.5 also phases out support of Firefox 2.

"Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images," Mozilla said.

In addition, Mozilla warned that an extensible bindings language (XBL) error could be used to execute arbitrary JavaScript and conduct a cross-site scripting attack. Successful exploitation of the flaw gives an attacker the ability to access the victim's cookies and access recently submitted data.

An attack using a vulnerability in Mozilla's SessionStore feature was also repaired. SessionStore saves session data, including open windows and tabs, window size and position, and text typed in forms. Mozilla said an attacker could manipulate a closed tab and if the victim reopens it, malicious scripts in the page can steal the victim's local file.

Other less critical vulnerabilities patched by Mozilla included a chrome privilege escalation attack method using local desktop shortcut files, a XML request error and a cached pages problem.

Danish vulnerability clearinghouse Secunia gave the Mozilla updates a highly critical rating, warning that, if exploited by an attacker, the flaws could be used to gain remote access to sensitive information and certain system files.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary