Mozilla fixes critical Firefox, Thunderbird flaws

Summary:The organisation has fixed seven vulnerabilities in the latest release of Firefox, with SeaMonkey and Thunderbird also affected

Mozilla has fixed seven vulnerabilities in the latest release of Firefox, with SeaMonkey and Thunderbird also affected.

Mozilla recommends users disable JavaScript in Thunderbird for the two critical flaws — MFSA 2008-15 and MFSA 2008-14 — since the email client shares the same browser engine as Firefox.

MFSA 2008-15 is a memory-corruption flaw and could allow an attacker to run arbitrary code. Mozilla has identified JavaScript errors as the source. However, it warned that an attacker could also use large image files to execute an attack.

MFSA 2008-14, meanwhile, permits an attacker to force a browser to run JavaScript code to conduct cross-site scripting and arbitrary code execution.

The two critical vulnerabilities resolved in Firefox's release also affect Thunderbird and Mozilla's email application suite, SeaMonkey. Mozilla has identified two other "high impact" flaws — MFSA 2008-19 and MFSA 2008-18 — which could allow an attacker to create false login prompts and discover a user's identity through SSL certificates.

"It was possible to have a background tab create a borderless XUL [Mozilla's SML user-interface language] pop-up in front of the active tab in the user's browser. This technique could be used by an attacker to spoof form elements, such as a login prompt for a site opened in a different tab, and steal the user's login credentials for that site," Mozilla advised on its known-vulnerabilities web page.

Topics: Security


Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.