Mozilla repairs URL spoofing, memory corruption flaws in Firefox

By SearchSecurity.com Staff 05 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Mozilla Foundation issued updates to Firefox repairing flaws that could allow cybercriminals to conduct URL spoofing attacks and other errors that could potentially expose sensitive information.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

All five advisories were issued Wednesday, including three updates labeled critical. Firefox version 3.0.7 addresses critical flaws in the browser's PNG library. The library is used by Mozilla to display compressed PNG graphics files. The flaws could be used by an attacker to crash the browser and execute arbitrary code. In order for the flaws to be exploited, a user must browse to a malicious website, Mozilla said.

Mozilla fixed an error allowing a hacker to decode control characters in the location bar. If exploited, the attacker could display a misleading URL to a malicious Web page in the browser bar and steal sensitive data from users such as passwords and account information.

Mozilla updates: Firefox 3.0.6 - Firefox version 3.0.6 update fixes dangerous flaws: Version 3.0.6 fixes several memory corruption errors and cross-site scripting flaws that could be exploited by an attacker to gain access to critical files. Firefox 3.0.5 - Mozilla fixes cross-site-scripting flaws: The latest update also phases out support of Firefox 2.

Mozilla's garbage collection process, which deletes unneeded objects, contains a critical vulnerability. "After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed," Mozilla said. Thunderbird is also vulnerable to the flaw if JavaScript is enabled in email.

Critical stability flaws were also repaired in the browser engine. The bugs, which caused Firefox to crash, showed evidence of memory corruption.

"We presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said.

In addition, a browser error that could allow an attacker to steal XML data from another domain was plugged, Mozilla said. A malicious website could allow an attacker to steal private data from users authenticated to the redirected website.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary