Mozilla plugs 10 more Firefox holes

Summary:Mozilla has shipped the eighth refresh of its flagship Firefox 2 browser to fix at least 10 vulnerabilities affecting Windows and Linux users.

Mozilla plugs 10 more Firefox holes
Mozilla has shipped the eighth refresh of its flagship Firefox 2 browser to fix at least 10 vulnerabilities affecting Windows and Linux users.

The latest Firefox 2.0.0.8 update includes another two patches rated "critical" because of the risk of code execution.

The first high-priority issue (MFSA 2007-35) swats a bug that allows attackers to execute malicious JavaScript code with the rights of the local user.

[It is] possible to use the Script object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome -- such as by right-clicking to open a context menu -- can cause attacker-supplied javascript to run with the same privileges as the user. This is similar to MFSA 2007-25 fixed in Firefox 2.0.0.5

Mozilla also released (MFSA 2007-29) to fix two vulnerabilities found that could cause browser crashes "with evidence of memory corruption."

The latest update, which now supports Mac OS X Leopard, includes another fix (MFSA 2007-36) for the URI protocol handling issue that has haunted Windows users all year; a bug (MFSA 2007-34) that makes it possible to steal files through the SFTP protocol and a flaw (MFSA 2007-33) that allows XUL pages to hide the window titlebar.

It also fixes a file input focus stealing vulnerability (MFSA 2007-32); a browser digest authentication request splitting flaw (MFSA 2007-31) and an onUnload Tailgating issue MFSA 2007-30 that can lead to spoofing attacks.

Topics: Browser, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.