Firefox 2 dirty dozen: Critical vulnerabilities patched
With Firefox 2.0.0.15, Mozilla fixes at least 12 documented vulnerabilities -- five rated critical -- that could put users at risk of arbitrary file upload, arbitrary code execution, URL spoofing and cross-site scripting attacks.
The update is available for Windows, Mac OS X and Linux users.
Mozilla is recommending that all users upgrade to the shiny new Firefox 3 but, because of compatibility issues with add-ons and extensions, some users are hesitant to upgrade immediately.
[ SEE: Code execution vulnerability found in Firefox 3.0 ]
The Firefox 2 patch is being distributed via the browser's automatic updates mechanism but there's a small worry that some users who install but never use the browser will still be at risk.
The newest Firefox 3 is known to be vulnerable to a highly critical vulnerability that is not yet patched.
Details on the Firefox 2 patches:
- MFSA 2008-33 Crash and remote code execution in block reflow
- MFSA 2008-32 Remote site run as local file via Windows URL shortcut
- MFSA 2008-31 Peer-trusted certs can use alt names to spoof
- MFSA 2008-30 File location URL in directory listings not escaped properly
- MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
- MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
- MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
- MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
- MFSA 2008-24 Chrome script loading from fastload file
- MFSA 2008-23 Signed JAR tampering
- MFSA 2008-22 XSS through JavaScript same-origin violation
- MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)
* Image source: laihiu's Flickr photostream (Creative Commons 2.0).