Mozilla delivers patches for Firefox; Plugs flat file vulnerability

Mozilla delivers patches for Firefox; Plugs flat file vulnerability

Summary: Mozilla on Friday delivered its Firefox 2.0.0.12 update including patches that fix a Web forgery flaw, browsing history and forward navigation stealing and the directory traversal via chrome, which has been the most visible vulnerability of late.

SHARE:
TOPICS: Browser, Security
42

Mozilla on Friday delivered its Firefox 2.0.0.12 update including patches that fix a Web forgery flaw, browsing history and forward navigation stealing and the directory traversal via chrome, which has been the most visible vulnerability of late.

According to the Firefox security advisory, Mozilla filed the following fixes in its flagship browser:

The most notable of the bunch is MFSA 2008-05. This fix covered that vulnerability that allowed an attacker to run off with stored cookies and other data contained in flat files. The vulnerability was discovered by researcher Gerry Eisenhaur. On Jan. 29, Mozilla security chief Window Snyder upgraded the vulnerability and set plans for Firefox 2.0.0.12. On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by Eisenhaur on Jan. 19.

Regarding the flat file flaw Mozilla said:

URI scheme improperly allowed directory traversal that could be used to load JavaScript, images, and stylesheets from local files in known locations. This traversal was possible only when the browser had installed add-ons which used "flat" packaging rather than the more popular .jar packaging, and the attacker would need to target that specific add-on.

Mozilla researcher moz_bug_r_a4 reported that this vulnerability could be used to steal the contents of the browser's sessionstore.js file, which contains session cookie data and information about currently open web pages.

mozilla.png

Another critical flaw (MFSA-2008-06) was one that allowed the stealing of Web browsing and forward navigation stealing. Mozilla noted:

Mozilla contributor David Bloom reported a vulnerability in the way images are treated by the browser when a user leaves a page which utilizes designMode frames. The reported issue can be used to steal a user's navigation history, forward navigation information, and crash the user's browser. The crash showed evidence of memory corruption and might be exploitable to run arbitrary code.

And a third critical vulnerability (MFSA-2008-03) covered a "privilege escalation, XSS Remote Code Execution."

Mozilla said:

Mozilla contributors moz_bug_r_a4 and Boris Zbarsky submitted a series of vulnerabilities which allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges. An additional vulnerability reported by moz_bug_r_a4 demonstrated that the XMLDocument.load() function can be used to inject script into another site, violating the browser's same-origin policy.

And finally Firefox 2.0.0.12 addresses crashes due to memory corruption (MFSA-2008-01). Mozilla noted:

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox 2.0.0.12 and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The remaining patches covered vulnerabilities that were deemed less critical. These vulnerabilities also affected Thunderbird and SeaMonkey.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

42 comments
Log in or register to join the discussion
  • Wow, sure was easy.

    Saw the notice on ZDNet, could have waited for it to automatically do it but decided to go ahead and hit Help, Check for Updates. Less than half a minute later I was back on the Internet road.

    Wonder how many reboots this Tuesday's IE updates are going to take.
    OButterball
    • If it was like the last couple months... no reboots required for Vista

      [i]Wonder how many reboots this Tuesday's IE updates are going to take.[/i]

      Of course, I'm only going based on past experience which I fully understand is much less valid than using present hatred of all things Microsoft as a guide. :)
      NonZealot
      • Um, see, we're forced to use Windows XP...

        ... because most of my clients have key software which doesn't run on Vista, or doesn't run WELL on Vista, YET. Every single Update Tuesday, for as long as I can remember in 2007, required a reboot when IE was involved.

        Of course, I'm only going based on past experience which I fully understand is much less valid than using present [i][b]blind love and fanatical support[/b][/i] of all things Microsoft as a guide. :)
        OButterball
    • Reboots are only necessary to changes in kernel.

      Since IE is a part of the middleware that runs on top of the kernel, you can just kill the shell with the task manager or logout then login again which is the same thing. But Mozilla you don't have to do this and yes I have the updated Seamonkey. Logout and login works for registry changes too.
      osreinstall
    • MS bashing for a Firefox problem?

      You people really are so pathetic. Can't accept the fact that all software are vulnerable and patches are a necessity. Can't help but drag MS into every Linux/Firefox problem. It's so hilarious how you turn a Linux/Firefox problem into a wonderful experience. Bwa-ha-ha-ha.
      transposeIT
  • thanks; that is good information

    It was just a leetle hard to decode from their notices that the flat-packaged add-ons bug was fixed.

    Would be helpful if Mozilla people spoke English once in a while....

    Regards
    Narr vi
  • RE: Mozilla delivers patches for Firefox; Plugs flat file vulnerability

    If all the hype I have been hearing about how "safe" Mozilla Firefox is compared to Internet Explorer were true, then WHY are they patching so many vulnerabilities...
    lennycald@...
    • Why?

      Because at least, they are [u]doing[/u] something about it, unlike the guys who are supposed to [i]do[/i] something about IE and who stick to a schedule of their own, whether they have a fix or not, and if not they wait until the next scheduled release.

      With Firefox, if they have a stable fix ready today, they release it today and no fanfare. (This one is an exception.) When you boot up Firefox, if you left the original installation parameters alone, the program will check with the Firefox main site and warn you that there is a new version or an upgrade and will proceed to install it on your say-so. Then if they have another fix tomorrow or next week, you get to upgrade all over again. All automatically and very painless, though a little time consuming. But I know for sure that the program is as up-to-date as possible and not a full month or more out of date. There is even a button to check for updates in the upper right corner below the red X as well as a menu choice in Help. When was the last time IE was upgraded, and can you upgrade as easily?

      Vulnerabilities? Of course there are vulnerabilities. Go back to the original "Hello, world" program and a good hacker could probably find one or two vulnerabilities without breaking into too much of a sweat. [u]Nothing[/u] is invulnerable. Especially in the computer world.
      bart001fr
    • It's like this

      If you don't know about a vulnerability, that doesn't mean it's not there, right? One of the biggest problems with IE is that you never know if Microsoft is patching all the vulnerabilities they're finding. Nor do you know about a lot of the vulnerabilities that could be being exploited right now. With Firefox, at least they keep their users informed and try to keep up with the problems without hiding them. Also, Microsoft has a specific schedule of patches that tends to have a pretty decently sized space large enough to be easily exploited before the vulnerabilities are fixed. Firefox may update frequently, but the patches are dealt with fairly quickly.
      ilovebacon
  • RE: Mozilla delivers patches for Firefox; Plugs flat file vulnerability

    I think this will force me to use IE.
    After updating, firefox will no longer connect. My Norton firewall has no user changeable settings.

    I have now lost a great deal of browser personalization.

    Thanks, but no thanks Mozilla
    serv2meek@...
  • There's a bad flaw in this update

    I think this will force me to use IE.
    After updating, firefox will no longer connect. My Norton firewall has no user changeable settings.

    I have now lost a great deal of browser personalization.

    Thanks, but no thanks Mozilla
    serv2meek@...
    • Problem is Norton

      Just being logical, but since everybody else is having no problems with the latest FireFox update, perhaps the difficulty rests with your Norton firewall. If I may write frankly, you would be best off making your computer Norton-free -- I dropped Norton products from all of our computers a few years ago after it became abundantly clear that they were slowing down the computers -- and live update just would not update key components. Norton's tech support's solution: Reinstall Norton Systemworks -- which, of course, made no difference. We've been very happy with Kaspersky Internet Security ever since. (And thee new FireFox is working just fine through Kasperksy's configurable firewall). You can try a fully-functional 30-day trial from Kaspersky's website. But be sure to fully uninstall Norton first. (And if you've been keeping current on that issue, completely uninstalling Norton is a challenge -- one of the many problems with Symantec applications.
      dl@...
      • RE:FireFox Update, Bad News

        There are more people having this problem.
        b3tonyc@...
    • Well-known problem

      Comes up all the time on the Firefox help forums. For anyone having this problem with any firewall, see: http://kb.mozillazine.org/Firewalls#Firewall_pitfalls
      Greenknight_z
  • Browser's fault?

    I guess it's a catch 22. These flaws all appear to be related to being plugged into MS. Perhaps Mozilla should have just provided FF for OSS, but then they would not be as popular.

    I'm just wondering if it was worth it for them to enter the MS vortex and have to deal with trying to secure MS file management security by being an outside program.

    I think anyone who builds accessories for MS are eventually going to run into these problems.

    If the most serious threat is stealing cookies and History, (which are OS files), shouldn't the OS be in there somewhere protecting the files like OSS does?

    Unfortunately people forget these flaws are "WindowsCentric".
    Joe.Smetona
    • Why do you say they all appear only on Windows?

      [i]These flaws all appear to be related to being plugged into MS.[/i]

      [url=https://bugzilla.mozilla.org/show_bug.cgi?id=413451] directory traversal via chrome bug [/url]

      The very first one I looked at shows that this is a vulnerability in ALL OSs. Can you please provide us with a rationale for you saying that all these flaws only affect Windows?

      [i]If the most serious threat is stealing cookies and History, (which are OS files), shouldn't the OS be in there somewhere protecting the files like OSS does?[/i]

      Huh? When Firefox asks for a cookie file from the OS, you think it is the OS's job to ask: [i]Are you [b]sure[/b] you want this file?[/i]

      How exactly do you propose that the OS decides when a program like Firefox is asking for a cookie file for "good" reasons or "bad" reasons? As long as the user ID that the Firefox process is running as has read permissions to that file, it is the OS's job to hand over that file. End of story.
      NonZealot
      • Reply.

        Here's the verification of the fix from the link you supplied. It just lists MS and MAC. If it affected Linux, it would be listed also.

        ***********

        "Al Billings 2008-01-29 16:28:45 PST

        I've verified this fix with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
        rv:1.8.1.12) Gecko/2008012820 Firefox/2.0.0.12 and Mozilla/5.0 (Macintosh; U;
        Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/2008012822 Firefox/2.0.0.12.

        With this testcase (attached to bug), we get "undefined" as a result now.

        I've also tested and verified bug 413250."
        Joe.Smetona
  • FireFox Update, Bad News

    I installed the new update as soon as i got the alert, the update crashed, so it retried, shortly after i am having problems accessing web sites, i called my isp, nothing wrong on their side. Now i completely un-installed firefox and i am still having problems. It took me about 5 refresh tried in order to get into the zdnet website. I do not know what the new update installed but it just messed up my connection settings. I did a google search and i see that i am not the only one with this problem. Now i do not know what to do, i need help, if anybody out there could help me, email me, b3tonyc(a)gmail.com.
    b3tonyc@...
    • Firefox update

      I updated the latest Firefox and have a bad problem with it opening multiple sessions .When it does this,it says Entering YahooBuildToolbar.I removed all of Yahoo and removed and reinstalled Firefox and still have the same annoying problem.I di a search on YahooBuildToolbar and found many people with same problem.Haven't been able to fix it yet.
      roge
  • FireFox Update, Bad News

    Other people are having problems with the update, check up the forum, http://kb.mozillazine.org/Error_loading_websites. So many people posted about the problem that the treat whats locked.
    b3tonyc@...