Mozilla patches critical, high-risk Firefox vulnerabilities

The most serious issue could lead to remote code execution attacks, according to warning from the open-source browser software maker.  In other scenarios, the bugs could cause denial-of-service or URL spoofing attacks.

Here are the details on the Firefox 3.5.6 security fixes, which affect all platforms (Windows, Mac and Linux):

• MFSA 2009-67 (Critical) -- An integer overflow in the Theora video library. A video's dimensions were being multiplied together and used in particular memory allocations. When the video dimensions were sufficiently large, the multiplication could overflow a 32-bit integer resulting in too small a memory buffer being allocated for the video. An attacker could use a specially crafted video to write data past the bounds of this buffer, causing a crash and potentially running arbitrary code on a victim's computer.
• MFSA 2009-66 (Critical) -- Several bugs in liboggplay which posed potential memory safety issues. The bugs which were fixed could potentially be used by an attacker to crash a victim's browser and execute arbitrary code on their computer.
• MFSA 2009-65 (Critical) -- Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes  -- four documented vulnerabilities -- showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
• MFSA 2009-68 (High Risk) -- Mozilla's NTLM implementation was vulnerable to reflection attacks in which NTLM credentials from one application could be forwarded to another arbitary application via the browser. If an attacker could get a user to visit a web page he controlled he could force NTLM authenticated requests to be forwarded to another application on behalf of the user.
• MFSA 2009-70 (Moderate) -- A content window which is opened by a chrome window retains a reference to the chrome window via the window.opener property. Using this reference, content in the new window can access functions inside the chrome window, such as eval, and use these functions to run arbitrary JavaScript code with chrome privileges. In a stock Mozilla browser a remote attacker can not cause these application dialogs to appear nor to automatically load the attack code that takes advantage of this flaw in window.opener. There may be add-ons which open potentially hostile web-content in this way, and combined with such an add-on the severity of this flaw could be upgraded to Critical.
• MFSA 2009-69 (Moderate) -- When a page loaded over an insecure protocol, such as http: or file:, sets its document.location to a https: URL which responds with a 204 status and empty response body, the insecure page will receive SSL indicators near the location bar, but will not have its page content modified in any way. This could lead to a user believing they were on a secure page when in fact they were not.  Separately,  a web page can set document.location to a URL that can't be displayed properly and then inject content into the resulting blank page. An attacker could use this vulnerability to place a legitimate-looking but invalid URL in the location bar and inject HTML and JavaScript into the body of the page, resulting in a spoofing attack.
• MFSA 2009-71 (Low Risk) -- The exception messages generated by Mozilla's GeckoActiveXObject differ based on whether or not the requested COM object's ProgID is present in the system registry. A malicious site could use this vulnerability to enumerate a list of COM objects installed on a user's system and create a profile to track the user across browsing sessions.

Mozilla is distributing the patches via the browser's built-in automatic update mechanism.  End users (Mac, Windows and Linux) should apply the update urgently.