Mozilla patches a dozen Firefox vulnerabilities

Mozilla patches a dozen Firefox vulnerabilities

Summary: Mozilla has shipped a refresh of its flagship Firefox browser to fix a dozen documented vulnerabilities that expose users to URL spoofing, cross-site scripting, code injection and code execution attacks.The most serious fix (MFSA 2009-14) covers four browser engine and JavaScript engine crashes where Mozilla's developers found evidence of memory corruption.

SHARE:
TOPICS: Security, Browser
24

Mozilla has shipped a refresh of its flagship Firefox browser to fix a dozen documented vulnerabilities that expose users to URL spoofing, cross-site scripting, code injection and code execution attacks.

The most serious fix (MFSA 2009-14) covers four browser engine and JavaScript engine crashes where Mozilla's developers found evidence of memory corruption.

Whenever browser crashes show evidence of memory corruption, Mozilla presumes that with enough effort at least some of these crashes could be exploited to run arbitrary code.

Some other fixes of note:

  • MFSA 2009-17: Security researcher Gregory Fleischer reported that when an Adobe Flash file is loaded via the view-source: scheme, the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities:

    1. The Flash file can bypass restrictions imposed by the crossdomain.xml mechanism and initiate HTTP requests to arbitrary third-party sites. This vulnerability could be used by an attacker to perform CSRF attacks against these sites.
    2. The Flash file, being treated as a local resource, can read and write Local Shared Objects on a user's machine. This vulnerability could be used by an attacker to place cookie-like objects on a user's computer and track them across multiple sites.

Additionally, Fleischer reported that the jar: protocol could be used to bypass restrictions normally preventing content loaded via view-source: from being rendered.

  • MFSA 2009-19:  Mozilla security researcher moz_bug_r_a4 reported that it is possible to create a document whose URI does not match the document's principal using XMLHttpRequest. This type of mismatch leads to incorrect results in principal-based security checks. An attacker could use this vulnerability to execute arbitrary JavaScript within the context of another site.moz_bug_r_a4 separately reported that XPCNativeWrapper.toString's __proto__ comes from the wrong scope which results in calls to that function being executed in the wrong context in certain circumstances. An attacker could use this vulnerability to run arbitrary code within the context of a different site. Alternatively, if chrome were to call content.toString.call(), then attacker-defined functions could be run with chrome privileges.

Also see:

  • MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame
  • MFSA 2009-20 Malicious search plugins can inject code into arbitrary sites
  • MFSA 2009-18 XSS hazard using third-party stylesheets and XBL bindings
  • MFSA 2009-16 jar: scheme ignores the content-disposition: header on the inner URI
  • MFSA 2009-15 URL spoofing with box drawing character
  • MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • Ryan this is yesterdays news.

    This site is really slipping to the point where I may have to make it >IT OBSOLETE<. Thank god for computerworld.com, at least they report stories when they come out, not when they feel like reporting it.
    Intellihence
    • NOT 3.0.9, 3.0.10 -- ANOTHER SET OF PATCH< PATCH< PATCH from Mozilla

      The damned Firefox client is the Quicktime of the browser world: another day, another patch.

      So where are the "many eyes" focusing? This shows what intellectual trash the open source myth is: there are holes and holes and holes and I just can't see where the alleged strengths are.
      PMC-CON
      • No, not what this piece describes

        The fixes listed were in the 3.0.9 update - this is old news. 3.0.10, which was just released, fixes a regression caused by one of the fixes in 3.0.9 - a crash that potentially could be exploited to install malware.

        While such frequent updates are a pain (and, ideally, they should have caught that bug before they released 3.0.9), better to fix it quick than wait 'til someone makes a exploit for it.
        Greenknight_z
      • I Agree. It's become FireFox of the month now

        I'll give this to Mozilla, at least they try and try and try. They do fix the "reported" vulnerabilities quickly but for the noob that indicated that MS takes their sweet time to fix vulnerabilities, I couldn't agree more but they don't release a new version of the browser once a month.

        FireFox is too high a maintenance item for me.

        Just because they fix it once a month does not mean that ALL vulnerabilities are patched, only the ones the developers know of.
        dunn@...
      • Your answer.

        It's Firefox on Windows. They should have never made it for Windows. The same goes for OpenOffice and other programs. It's just a waste of time and resources.

        Do you think I'm concerned about anything Firefox on my Linux?
        Joe.Smetona
  • Ryan, any word

    with regard to whether the work done on these [b]FF 3.0.9[/b] patches will lead to a further slip in the release schedule of [b]Firefox 3.5[/b] ?...

    Henri
    mhenriday
  • RE: Mozilla patches a dozen Firefox vulnerabilities

    Ryan, thanks for the heads up but can you put the release tag (I assume from mhenriday's comment it's 3.0.9) in the title? I get auto-updates so it turns out I've already received these patches.
    rpolunsky@...
  • Can you include the version number of the release with the fixes?

    This is a good report. Can you include the version number of the Firefox browser that has all of these fixes in it? My home PC just automatically upgraded to 3.0.9 last night. Is that the version you are talking about here?
    LarryPTL
    • imagine if it was IE8 not firesh*t?

      Can you imagine how much s**t would be flying if it was IE 8 with all these patches???
      Richard Turpin
      • if it were ie8 it would take months to get fixed.

        and some issues might not be fixed in a year. (check out known bugs and the fix cycles/ie and ff) Face it, micro-schwagg is a sh*t outfit when it comes to responsiveness.
        burt&theband
      • If it'd been IE8?

        don't expect a patch anytime soon unless one or both the following criteria are fulfilled.

        a) the next service pack is just around the corner(it might be included, if there's enough publicity about the vulnerability)

        b) the vulnerability is actively exploited in the wild and a few thousands are compromised
        balaknair
    • Yes, please include version number

      Without the version number, the story is merely a bunch of birdcage liner, if you get my drift. Give us all the important facts, please, and that should always include the version number. Otherwise, we're left wondering whether this applies to us or is just so much hot air.
      vbrucewhitehead@...
    • Yes

      The vulnerabilities Ryan mentions are fixed in 3.0.9

      3.0.10 was released yesterday, with a patch for a vulnerability due to a regression in 3.0.9, and a bugfix(not security related)

      https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed1.9.0.10+verified1.9.0.10
      balaknair
      • Just one issue, really

        If you read the bug reports from that link, you'll find they both refer to the same crash problem. Since it's both a security issue and a stability issue, two bugs were filed about it.
        Greenknight_z
  • RE: Mozilla patches a dozen Firefox vulnerabilities

    It is version 3.0.9. I thought the next version of FF was going to be 3.1 - I didn't think they were skipping right to 3.5.
    docqualizer
    • revised version number

      They've decided to rename FF 3.1 to 3.5 in view of the amount of change in the code and features.

      "https://developer.mozilla.org/devnews/index.php/2009/03/05/firefox-31-may-become-firefox-35/"
      balaknair
  • RE: Mozilla patches a dozen Firefox vulnerabilities

    Got announcement of this story
    =
    Updated to 3.0.10
    TEBushmaker
  • RE: Mozilla patches a dozen Firefox vulnerabilities

    I had to download another browser about a mo. ago due
    to Firefox crashing all the time. I was on Firefox
    again yesterday & it crashed 3 times within a few min.
    I absoutely hate it. I don't use it any more than I
    have to & I used to really like it. I'd like very much
    for it to be fixed so it wouldn't crash any more.
    Eden Jade
    • I think you will find...

      ...the issues you have while using Firefox are
      not caused by Firefox, itself, but by the
      extensions you have added. Verified conflicts
      are documented between specific extensions. Do
      your homework at MozDev.org:
      http://mozdev.org/, and Mozillazine.org forums:
      http://forums.mozillazine.org/

      The best way to know if you truly have issues
      with Firefox, itself, is to try it in it's Safe
      Mode. If Firefox in Safe Mode is fast and clean
      in bringing up Web pages, then issues are
      caused by Firefox extensions, their conflicts
      with each other, or their poor memory
      management...such as failing to release memory
      when it is no longer needed.

      Speaking of memory, make sure you have enough
      space allocated to Windows' virtual memory,
      especially the lowest amount allocated. I find
      it best to make the bottom value equivalent to
      twice my physical RAM. (Your mileage may
      vary...)
      Isocrates
      • Excellent point

        I totally agree - I run Firefox Trunk test builds, the bleeding-edge version where new features are first tried out, and I don't get near the number of crashes that Amber Jade describes. The Mozillazine forums are the best place to get help.
        Greenknight_z