Mozilla slaps band-aid on 11 Firefox flaws

Mozilla slaps band-aid on 11 Firefox flaws

Summary: Mozilla has joined this week's patchapalooza with the release of a Firefox update to fix 11 documented security vulnerabilities.Six of the 11 issues are in advisories rated "critical" because of the risk of code execution attacks that could allow hackers to take complete control of a compromised machine.

SHARE:
TOPICS: Browser, Security
65

Mozilla has joined this week's patchapalooza with the release of a Firefox update to fix 11 documented security vulnerabilities.

Six of the 11 issues are in advisories rated "critical" because of the risk of code execution attacks that could allow hackers to take complete control of a compromised machine. Here's a snapshot of the critical issues:

MFSA 2009-32 JavaScript chrome privilege escalation

Mozilla security researcher moz_bug_r_a4 reported a vulnerability which allows scripts from page content to run with elevated privileges. Using this vulnerability, an attacker could cause a chrome privileged object, such as the browser sidebar or the FeedWriter, to interact with web content in such a way that attacker controlled code may be executed with the object's chrome privileges.

MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null

Mozilla security researcher moz_bug_r_a4 reported that the owner document of an element can become null after garbage collection. In such cases, event listeners may be executed within the wrong JavaScript context. An attacker could potentially use this vulnerability to have a malicious event handler execute arbitrary JavaScript with chrome privileges.

MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object

Jakob Balle and Carsten Eiram of Secunia Research reported a race condition in NPObjWrapper_NewResolve when accessing the properties of a NPObject, a wrapped JSObject. Balle and Eiram demonstrated that this condition could be reached by navigating away from a web page during the loading of a Java applet. Under such conditions the Java object would be destroyed but later called into resulting in a free memory read. It might be possible for an attacker to write to the freed memory before it is reused and run arbitrary code on the victim's computer.

MFSA 2009-24 Crashes with evidence of memory corruption

Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.  There are three difference CVEs attached to these crashes.

Firefox 3.0.11 is shipped via the browser's automatic update mechanism.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

65 comments
Log in or register to join the discussion
  • Change your headline...

    ...if these are actually full-blown fixes for the
    vulnerabilities involved. A "band-aid" is an
    interim, partial, or slapdash fix applied as first
    aid or triage.
    TriangleDoor
    • I have seen it used with MS too. Did you cry then as well?

      .
      Qbt
      • I've never understood...

        when someone actually seems to agree with a sentiment, they attack the messenger because they may or may not have spoken up with the same sentiment in circumstances involving another party. If it's wrong, it's wrong. It doesn't matter if someone said it was wrong before or not. I see this enough with retarded political hacks. If you want to act like a child, please go post your drivel on the cartoon network website and leave this one to the adults.
        jasonp@...
        • I'm pointing out the typical hypocricy you find here on ZDNet

          Do you have a problem with that?

          Usually the people that complain about stuff like this are the same ones that will be 100% ok with it when it involves MS.

          These people always crack me up.
          Qbt
          • ZDN: come for the hypocrisy

            stay for the spelling and grammar...

            :o)
            Jack-Booted EULA
          • And those that have lost the argument...

            ...point out silly typos. I didn't actually expect anything more anyway...
            Qbt
          • Silly typos?

            Inaccuracies reveal the incapabilities of the
            poster to either communicate correctly or debate
            intelligibly.
            Isocrates
          • Your Point?

            Understandably, people are more likely to defend what they care about. Feel free to air your grievances in any Microsoft band-aid thread. Without a doubt, some anti MS diehards will bring up an irrelevant argument... but you just can't argue with some people.
            Zyloch
          • ...such as MS diehards and anti-Linux diehards. nt

            NT
            Isocrates
          • I left that part unsaid.

            NT
            Zyloch
    • Agreed- Headline is a litte misleading

      My first thought was that the update was somehow put together in a shoddy manner.
      snafu_77
      • Maybe next time...

        Apple or Microsoft or whoever announces some patches we'll get headlines like.

        Microsoft changes used security bandages again this Tuesday.

        or

        Apple updates its security fashion statement.
        zkiwi
  • I Mozilla has seen its best days already

    I really liked Firefox 2 but ever since it has gone to 3 it has been down hill will sluggish loading and performance issues. Not sure if it just has become a mish mash of patches and updates that just were not done well or what.
    Maybe 3.5 will be better. It just has stopped being what it was supposed to be in the beginning.
    jscott418-22447200638980614791982928182376
    • Firefox 3.5 is super!

      I've been using the FF 3.5 RC1 since the new builds have been available and it's super fast regarding loading and performance.
      Let's hope they keep it up!
      gmontagu@...
      • 3.5?????

        With my latest update I have 3.0.11!! Where and HOW do you get 3.5?!
        mummainsaudi
        • 3.5

          It's the beta build for the upcoming version of Firefox.

          http://www.mozilla.com/en-US/firefox/3.5b4/releasenotes/

          It's stable and works with the most common addons. It's also much faster than 3.0 ever was.
          tmsbrdrs
        • FF 3.5

          http://www.mozilla.com/products/download.html?product=firefox-3.5b4&os=win&lang=en-US
          Pationl
        • FF 3.5 RC1 !

          It's the first Release Candidate and you can get it here:

          http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.5rc1

          You can choose your OS and you can check for your language localization or just choose the en-US or the en_GB just as you prefer
          gmontagu@...
        • FF 3.5 RC1

          It's the first Release Candidate.
          You can get it here:

          http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.5rc1
          gmontagu@...
    • instability in FF

      I agree! I have loved Firefox (and STILL will not go back to IE!) but lately, like the past four months or so, it has been horrible! Every time it updates my plug ins add-ons, etc. VANISH! The best thing: Tab Mix Plus, is gone, so I have to go to File and New Tab to make sure I don't lose the page I am ON! It also used to "save" the tabs from a previous session, or at least ASK me if I wanted to close, but now? Nothing, when I click the X FF is GONE just like that! I have had trouble with my blog, which, sometimes rights itself if I clear the cache, and now, whenever I come back, though my homepages are SAVED, I have to SIGN IN to each of them AGAIN! Very annoying, especially since I am one handed right now!
      Although I wrote on the forum (the ONLY place to get help!) No one has come up with any helpful suggestions yet. I finally STOPPED re downloading my add ons, cause I figured, what's the use? They will disappear with the next update!
      mummainsaudi