Mozilla delivers patches for Firefox; Plugs flat file vulnerability

Summary:Mozilla on Friday delivered its Firefox 2.0.0.12 update including patches that fix a Web forgery flaw, browsing history and forward navigation stealing and the directory traversal via chrome, which has been the most visible vulnerability of late.

Mozilla on Friday delivered its Firefox 2.0.0.12 update including patches that fix a Web forgery flaw, browsing history and forward navigation stealing and the directory traversal via chrome, which has been the most visible vulnerability of late.

According to the Firefox security advisory, Mozilla filed the following fixes in its flagship browser:

The most notable of the bunch is MFSA 2008-05. This fix covered that vulnerability that allowed an attacker to run off with stored cookies and other data contained in flat files. The vulnerability was discovered by researcher Gerry Eisenhaur. On Jan. 29, Mozilla security chief Window Snyder upgraded the vulnerability and set plans for Firefox 2.0.0.12. On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by Eisenhaur on Jan. 19.

Regarding the flat file flaw Mozilla said:

URI scheme improperly allowed directory traversal that could be used to load JavaScript, images, and stylesheets from local files in known locations. This traversal was possible only when the browser had installed add-ons which used "flat" packaging rather than the more popular .jar packaging, and the attacker would need to target that specific add-on.

Mozilla researcher moz_bug_r_a4 reported that this vulnerability could be used to steal the contents of the browser's sessionstore.js file, which contains session cookie data and information about currently open web pages.

mozilla.png

Another critical flaw (MFSA-2008-06) was one that allowed the stealing of Web browsing and forward navigation stealing. Mozilla noted:

Mozilla contributor David Bloom reported a vulnerability in the way images are treated by the browser when a user leaves a page which utilizes designMode frames. The reported issue can be used to steal a user's navigation history, forward navigation information, and crash the user's browser. The crash showed evidence of memory corruption and might be exploitable to run arbitrary code.

And a third critical vulnerability (MFSA-2008-03) covered a "privilege escalation, XSS Remote Code Execution."

Mozilla said:

Mozilla contributors moz_bug_r_a4 and Boris Zbarsky submitted a series of vulnerabilities which allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges. An additional vulnerability reported by moz_bug_r_a4 demonstrated that the XMLDocument.load() function can be used to inject script into another site, violating the browser's same-origin policy.

And finally Firefox 2.0.0.12 addresses crashes due to memory corruption (MFSA-2008-01). Mozilla noted:

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox 2.0.0.12 and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The remaining patches covered vulnerabilities that were deemed less critical. These vulnerabilities also affected Thunderbird and SeaMonkey.

Topics: Browser, Security

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.