Firefox 2 dirty dozen: Critical vulnerabilities patched

Firefox 2 dirty dozen: Critical vulnerabilities patched

Summary: Mozilla has shipped a high-priority update for Firefox 2, warning that there are at least five serious vulnerabilities that could lead to code execution attacks.With Firefox 2.

SHARE:
TOPICS: Browser
4

Critical vulnerabilities patched Mozilla has shipped a high-priority update for Firefox 2, warning that there are at least five serious vulnerabilities that could lead to code execution attacks.

With Firefox 2.0.0.15, Mozilla fixes at least 12 documented vulnerabilities -- five rated critical --  that could put users at risk of arbitrary file upload, arbitrary code execution, URL spoofing and cross-site scripting attacks.

The update is available for Windows, Mac OS X and Linux users.

Mozilla is recommending that all users upgrade to the shiny new Firefox 3 but, because of compatibility issues with add-ons and extensions, some users are hesitant to upgrade immediately.

[ SEE: Code execution vulnerability found in Firefox 3.0

The Firefox 2 patch is being distributed via the browser's automatic updates mechanism but there's a small worry that some users who install but never use the browser will still be at risk.

The newest Firefox 3 is known to be vulnerable to a highly critical vulnerability that is not yet patched.

Details on the Firefox 2 patches:

  • MFSA 2008-33 Crash and remote code execution in block reflow
  • MFSA 2008-32 Remote site run as local file via Windows URL shortcut
  • MFSA 2008-31 Peer-trusted certs can use alt names to spoof
  • MFSA 2008-30 File location URL in directory listings not escaped properly
  • MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
  • MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
  • MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
  • MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
  • MFSA 2008-24 Chrome script loading from fastload file
  • MFSA 2008-23 Signed JAR tampering
  • MFSA 2008-22 XSS through JavaScript same-origin violation
  • MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

* Image source: laihiu's Flickr photostream (Creative Commons 2.0).

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Wasn't Able to Upgrade to 3.0

    On my main XP Pro machine, with a dozen or so add-ons, I wasn't able to go to FF 3.0. The app does its analysis, says it's going to disable incompatible add-ons (as usual), then just hangs, running in the background with no visible window to display. Of course it uninstalled the 2.x version but, after trying twice with 3.0, I was able to re-install 2.x and use the same profile.

    As I recall, when I tried the 1.x upgrade to 2.x I had erase the profile to get 2.x to work, and couldn't re-install 1.x, so maybe this is an "improvement."

    On my XP Pro laptop, simpler set of add-ins, was able to install fairly cleanly , but it lost the latest Flash plug-in so I had to re-install that.

    Likewise, on a Vista Business PC, Firefox 3.0 installed on a simpler profile. Haven't seen the Flash error yet.

    Of course if Microsoft or Adobe had produced software with this POS behavior, it would have been all over the news; but Mozilla.org, like Sun and Apple, are given a free pass with their incompatibilities and fubars.
    PMC-CON
  • Have you tried the Standard Diagnostic procedures

    (http://tinyurl.com/m6hcw) outlined on the [b]MozillaZine Knowledge Base[/b] to troubleshoot the problems you've had in installing [b]FF3[/b] on your main machine ? You might want to consider giving them a whirl....

    Henri
    mhenriday
    • Re: Standard Diagnostic

      Note that The Standard Diagnostic includes how to create a new Firefox profile without erasing the old one, how to migrate your browsing data from the old profile to the new, and how to back up your profile (which you should be doing anyway). There's no reason to lose any data doing an update to Firefox.
      Greenknight_z
  • RE: Firefox 2 dirty dozen: Critical vulnerabilities patched

    I have been happy using Firefox ever since it began - and have just upgraded to FF 3. However there is a little glitch that I have not been able to resolve. In e-mails and on web site some punctuation symbols, and characters are not displaying correctly. I have tried various settings in View/Character encoding but have been unable to correct the problem. Any constructive suggestions from resident gurus, geeks or geniuses ? <g>
    HELLASBOOK