X
Business
Home Business Enterprise Software

Mozilla slaps band-aid on 11 Firefox flaws

Mozilla has joined this week's patchapalooza with the release of a Firefox update to fix 11 documented security vulnerabilities.Six of the 11 issues are in advisories rated "critical" because of the risk of code execution attacks that could allow hackers to take complete control of a compromised machine.
Written by Ryan Naraine, Contributor

firefox3logo.png
Mozilla has joined this week's patchapalooza with the release of a Firefox update to fix 11 documented security vulnerabilities.

Six of the 11 issues are in advisories rated "critical" because of the risk of code execution attacks that could allow hackers to take complete control of a compromised machine. Here's a snapshot of the critical issues:

MFSA 2009-32 JavaScript chrome privilege escalation

followmeontwitter.png

Mozilla security researcher moz_bug_r_a4 reported a vulnerability which allows scripts from page content to run with elevated privileges. Using this vulnerability, an attacker could cause a chrome privileged object, such as the browser sidebar or the FeedWriter, to interact with web content in such a way that attacker controlled code may be executed with the object's chrome privileges.

MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null

Mozilla security researcher moz_bug_r_a4 reported that the owner document of an element can become null after garbage collection. In such cases, event listeners may be executed within the wrong JavaScript context. An attacker could potentially use this vulnerability to have a malicious event handler execute arbitrary JavaScript with chrome privileges.

MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object

Jakob Balle and Carsten Eiram of Secunia Research reported a race condition in NPObjWrapper_NewResolve when accessing the properties of a NPObject, a wrapped JSObject. Balle and Eiram demonstrated that this condition could be reached by navigating away from a web page during the loading of a Java applet. Under such conditions the Java object would be destroyed but later called into resulting in a free memory read. It might be possible for an attacker to write to the freed memory before it is reused and run arbitrary code on the victim's computer.

MFSA 2009-24 Crashes with evidence of memory corruption

Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.  There are three difference CVEs attached to these crashes.

Firefox 3.0.11 is shipped via the browser's automatic update mechanism.

Editorial standards
Show Comments

Related

Anker Solix X1

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

GOTRAX 4 electric scooter

The Jackery Explorer 1000 is one of the best portable power stations you can buy, and it's on sale

AI coding concept

Can Meta AI code? I tested it against Llama, Gemini, and ChatGPT - it wasn't even close