News Stay informed about the latest enterprise technology news and product updates.

Firefox version 3.0.6 update fixes dangerous flaws

Version 3.0.6 fixes several memory corruption errors and cross-site scripting flaws that could be exploited by an attacker to gain access to critical files.

Mozilla released the latest version of its popular Firefox browser, repairing memory corruption errors and cross-site scripting vulnerabilities that could be exploited by an attacker to run malicious code.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Firefox version 3.0.6 includes six advisories, one rated critical, fixing errors in Firefox, Thunderbird and SeaMonkey.

The most critical flaws were several stability fixes to the browser engine, patching memory corruption errors. The layout and JavaScript engines contain flaws that could be exploited "under certain circumstances," Mozilla said.

Thunderbird is also affected by the JavaScript engine flaws if JavaScript is enabled in mail. Mozilla advises users to turn off JavaScript in mail.

Firefox updates:
Mozilla fixes cross-site-scripting flaws: Firefox 3.0.5 also phases out support of Firefox 2.

"Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images," Mozilla said.

In addition, Mozilla warned that an extensible bindings language (XBL) error could be used to execute arbitrary JavaScript and conduct a cross-site scripting attack. Successful exploitation of the flaw gives an attacker the ability to access the victim's cookies and access recently submitted data.

An attack using a vulnerability in Mozilla's SessionStore feature was also repaired. SessionStore saves session data, including open windows and tabs, window size and position, and text typed in forms. Mozilla said an attacker could manipulate a closed tab and if the victim reopens it, malicious scripts in the page can steal the victim's local file.

Other less critical vulnerabilities patched by Mozilla included a chrome privilege escalation attack method using local desktop shortcut files, a XML request error and a cached pages problem.

Danish vulnerability clearinghouse Secunia gave the Mozilla updates a highly critical rating, warning that, if exploited by an attacker, the flaws could be used to gain remote access to sensitive information and certain system files.

Dig Deeper on Web browser security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.