Mozilla plugs 10 more Firefox holes

Mozilla plugs 10 more Firefox holes

Summary: Mozilla has shipped the eighth refresh of its flagship Firefox 2 browser to fix at least 10 vulnerabilities affecting Windows and Linux users.

SHARE:
TOPICS: Browser, Security
11

Mozilla plugs 10 more Firefox holesMozilla has shipped the eighth refresh of its flagship Firefox 2 browser to fix at least 10 vulnerabilities affecting Windows and Linux users.

The latest Firefox 2.0.0.8 update includes another two patches rated "critical" because of the risk of code execution.

The first high-priority issue (MFSA 2007-35) swats a bug that allows attackers to execute malicious JavaScript code with the rights of the local user.

[It is] possible to use the Script object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome -- such as by right-clicking to open a context menu -- can cause attacker-supplied javascript to run with the same privileges as the user. This is similar to MFSA 2007-25 fixed in Firefox 2.0.0.5

Mozilla also released (MFSA 2007-29) to fix two vulnerabilities found that could cause browser crashes "with evidence of memory corruption."

The latest update, which now supports Mac OS X Leopard, includes another fix (MFSA 2007-36) for the URI protocol handling issue that has haunted Windows users all year; a bug (MFSA 2007-34) that makes it possible to steal files through the SFTP protocol and a flaw (MFSA 2007-33) that allows XUL pages to hide the window titlebar.

It also fixes a file input focus stealing vulnerability (MFSA 2007-32); a browser digest authentication request splitting flaw (MFSA 2007-31) and an onUnload Tailgating issue MFSA 2007-30 that can lead to spoofing attacks.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Preemptive strike

    Can we all just admit that any of us running a browser or any other connected software is just sitting here with dozens and dozens of unpatched vulnerabilities just waiting to be exploited?

    We can argue all day about choosing to use an application that has been targetted more/less than another application. But let's not, because that's only the choice of the hacker, not the engineer or the user.

    Let's just all admit that the browser we're using to read this post has an essentially limitless number of security vulnerabilities, and move on to another topic. (And it does, even if you want to think your's somehow has "less" than another. I'm not sure how 500 yet to be announced vulnerabilities is better than 550 if the number never approaches anything close to zero.)

    Like OSX v. Vista. Ther, that one's so much more productive.
    KTLA
    • Word out to that.

      NT
      Skullet
  • "to fix at least 10 vulnerabilities affecting Windows and Linux users."

    Wait a minute...I thought Linux was impervious to attacks? ]-)
    IT_Guy_z
    • <sigh>

      nt
      KTLA
      • strike a nerve?

        ;-)
        IT_Guy_z
        • No . . .

          Apparently you're a moron who didn't read the first post . . .
          JLHenry
    • RE: "to fix at least 10 vulnerabilities affecting Windows and Linux users."

      ...Wait a minute...I thought Linux was impervious to attacks?...

      You are either trolling...or are seriously cognitively challenged. Which one is it...???
      joe6pack_z
    • Linux impervious?

      IT_Guy_z wrote:

      [i]Wait a minute...I thought Linux was impervious to attacks?[/i]

      You thought wrong. No sensible person argues that any software is impervious to attacks, but some software is much more secure than others, either by design or by the rapidity with which identified exploits are fixed.

      Do note that linux users at least didn't have to wait until the second Tuesday of the next month to get a fix for these issues.
      JDThompson
  • RE: Mozilla plugs 10 more Firefox holes

    When are you going to fix the "Firefox.exe has encountered an error and needs to close"???
    Jean-Louis Fujs
    jeanloui@ican.net
    jeanloui@...
  • Non-admin issues?

    The last two Firefox updates applied automatically under my non-admin user account, then refused to complete. I saw the same "applying update" message repeatedly, every time I opened Firefox. I had to do a "RunAs" to open Firefox as admin to complete the process. My uncle called me with the same situation last week. Previous updates ran just fine under non-admin accounts. Has anybody else run into this? (I'll admit I haven't spent time investigating.)
    bmgoodman
    • And there's more..Unfortunately!!

      Sorry to go off track, but:
      Since applying V2.0.0.8 with more then 4 or so Tab's open, FF will lockup & keep telling you "it can't find the Server..To try again", then when you close the BROWSER (All tab's) you can't open FF again, because it is still running and needs the Task Manager to KILL FF.

      Not my idea of a good fix & I'm no M$ lover.

      V2.0.0.7 didn't have these problems...WHY??
      Huntsman.ks