News Stay informed about the latest enterprise technology news and product updates.

Mozilla releases Firefox to fix multiple flaws

Attackers could exploit multiple flaws in Mozilla Firefox to tamper with sensitive information, conduct phishing attacks and run malicious code.

Mozilla has released an update of its popular Firefox browser to address a pile of security flaws attackers could exploit to tamper with sensitive information, conduct phishing attacks and run malicious code.

The "highly critical" issues are being addressed in version of the Firefox browser. Danish vulnerability clearinghouse Secunia outlined the issues in its SA27311 advisory:

1.) Various errors in the browser engine can be exploited to cause a memory corruption.

Mozilla Firefox updates:
May: Mozilla fixes Firefox flaws

July: Critical Firefox flaws addressed by Mozilla

Aug: Mozilla to extend security in major Firefox update

Sept: Mozilla closes QuickTime attack vector in Firefox

Who patches better: Microsoft or Mozilla? 

2.) Various errors in the Javascript engine can be exploited to cause a memory corruption. "Successful exploitation of these vulnerabilities may allow execution of arbitrary code," Secunia said.

3.) An error in the handling of onUnload events can be exploited to read and manipulate the document's location of new pages.

4.) Input passed to the user ID when making an HTTP request using Digest Authentication is not properly sanitized before being used in a request. This can be exploited to insert arbitrary HTTP headers into a user's request when a proxy is used.

5.) An error when displaying web pages written in the XUL markup language can be exploited to hide the window's title bar and facilitate phishing attacks.

6.) An error exists in the handling of "smb:" and "sftp:" URI schemes on Linux systems with gnome-vfs support. This can be exploited to read any file owned by the target user via a specially crafted page on the same server. "Successful exploitation requires that the attacker has write access to a mutually accessible location on the target server and the user is tricked into loading the malicious page," Secunia said.

7.) An unspecified error in the handling of "XPCNativeWrappers" can lead to execution of arbitrary Javascript code with the user's privileges via subsequent access by the browser chrome (e.g. when a user right-clicks to open a context menu).

Secunia noted that additional fixes have been added to prevent the exploitation of a URI handling vulnerability in Microsoft Windows. The advisory links to all the individual Mozilla advisories.

Dig Deeper on Web browser security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.