Firefox update blocks proof-of-concept code

By SearchSecurity.com Staff 30 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Mozilla Foundation issued an update to its Firefox browser over the weekend, blocking proof-of-concept code released last week that exploited an unresolved critical bug.

Firefox 3.0.8, released Saturday, plugs a hole exploited by a researcher at the CanSecWest 2009 Pwn2Own contest. It also blocks a XML tag remote memory corruption vulnerability. Mozilla said both vulnerabilities could be exploited by tricking a user to visit a Web page containing malicious code.

Mozilla updates: Firefox 3.0.7 - Mozilla repairs URL spoofing, memory corruption flaws in Firefox: Vulnerabilities causing browser instability and memory corruption errors could be exploited by attackers to access sensitive information. Firefox 3.0.6 - Firefox version 3.0.6 update fixes dangerous flaws: Version 3.0.6 fixes several memory corruption errors and cross-site scripting flaws that could be exploited by an attacker to gain access to critical files. Firefox 3.0.5 - Mozilla fixes cross-site-scripting flaws: The latest update also phases out support of Firefox 2.

A bug in Firefox's garbage collection routine allows an attacker to exploit a process to access previously destroyed objects. The technique was used by a security researcher during the Pwn2Own contest, sponsored by TippingPoint's Zero Day Initiative. It causes the browser to crash and allows an attacker to run arbitrary code on a victim's computer, Mozilla said.

At the contest, The German security researcher exploited vulnerabilities in Firefox, Apple's Safari browser and Microsoft Internet Explorer 8. He was awarded $15,000 from the Zero Day Initiative.

A second flaw in the way the browserprocesses Extensible Stylesheet Language (XSL) could also crash the browser and allow an attacker to run arbitrary code. Mozilla said it expedited the update to block proof-of-concept exploit code that appeared on the Milw0rm.com website.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary