Firefox 2 dirty dozen: Critical vulnerabilities patched

Summary:Mozilla has shipped a high-priority update for Firefox 2, warning that there are at least five serious vulnerabilities that could lead to code execution attacks.With Firefox 2.

Critical vulnerabilities patched
Mozilla has shipped a high-priority update for Firefox 2, warning that there are at least five serious vulnerabilities that could lead to code execution attacks.

With Firefox 2.0.0.15, Mozilla fixes at least 12 documented vulnerabilities -- five rated critical --  that could put users at risk of arbitrary file upload, arbitrary code execution, URL spoofing and cross-site scripting attacks.

The update is available for Windows, Mac OS X and Linux users.

Mozilla is recommending that all users upgrade to the shiny new Firefox 3 but, because of compatibility issues with add-ons and extensions, some users are hesitant to upgrade immediately.

[ SEE: Code execution vulnerability found in Firefox 3.0

The Firefox 2 patch is being distributed via the browser's automatic updates mechanism but there's a small worry that some users who install but never use the browser will still be at risk.

The newest Firefox 3 is known to be vulnerable to a highly critical vulnerability that is not yet patched.

Details on the Firefox 2 patches:

  • MFSA 2008-33 Crash and remote code execution in block reflow
  • MFSA 2008-32 Remote site run as local file via Windows URL shortcut
  • MFSA 2008-31 Peer-trusted certs can use alt names to spoof
  • MFSA 2008-30 File location URL in directory listings not escaped properly
  • MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
  • MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
  • MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
  • MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
  • MFSA 2008-24 Chrome script loading from fastload file
  • MFSA 2008-23 Signed JAR tampering
  • MFSA 2008-22 XSS through JavaScript same-origin violation
  • MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

* Image source: laihiu's Flickr photostream (Creative Commons 2.0).

Topics: Browser

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.