Mozilla updates Firefox; Fixes multiple vulnerabilities

Mozilla updates Firefox; Fixes multiple vulnerabilities

Summary: Mozilla has patched 10 vulnerabilities in Firefox 2.0 with update 2.

SHARE:

Mozilla has patched 10 vulnerabilities in Firefox 2.0 with update 2.0.0.13. In an update early Wednesday Firefox addressed the following:

  • MFSA 2008-19  XUL popup spoofing variant (cross-tab popups)
  • MFSA 2008-18 Java socket connection to any local port via LiveConnect
  • MFSA 2008-17 Privacy issue with SSL Client Authentication
  • MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
  • MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
  • MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution

Of those six advisories, two were rated critical and two had a high impact. The vulnerabilities also impact Thunderbird and SeaMonkey. Secunia has compiled 10 CVE numbers for this update with the following recap:

Some vulnerabilities and weaknesses have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, conduct cross-site scripting and phishing attacks, and potentially compromise a user's system.

The CVEs addressed in the Firefox update include:  CVE-2007-4879, CVE-2008-1195, CVE-2008-1233, CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237, CVE-2008-1238, CVE-2008-1240 and CVE-2008-1241.

The memory corruption crashes (MFSA 2008-15) were rated critical by Mozilla. Mozilla in its advisory said:

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

ffx.png

The other critical vulnerability was the JavaScript privilege escalation and arbitrary code execution, according to Mozilla. Mozilla in that advisory said:

Mozilla contributors moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported a series of vulnerabilities which allow scripts from page content to run with elevated privileges. moz_bug_r_a4 demonstrated additional variants of MFSA 2007-25 and MFSA2007-35 (arbitrary code execution through XPCNativeWrapper pollution). Additional vulnerabilities reported separately by Boris Zbarsky, Johnny Stenback, and moz_bug_r_a4 showed that the browser could be forced to run JavaScript code using the wrong principal leading to universal XSS and arbitrary code execution.

As for the high impact flaw the most interesting of the bunch was the Java socket connection via LiveConnect. Mozilla said in its advisory:

Security researcher Gregory Fleischer demonstrated that web content fetched via the jar: protocol can use Java via LiveConnect to open socket connections to arbitrary ports on the user's machine ("localhost"). The issue is caused by improper parsing of the content origin passed from the browser to the Java plugin. Such content was incorrectly evaluated to have a null host, assumed to be a local file, and was subsequently allowed permission to connect to the localhost. Sun has updated the Java Runtime Environment with a fix for this problem. Mozilla has also added a fix to LiveConnect to protect users who don't have the latest version of Java.

These patches have been pushed to Firefox users in an automatic update.

Topics: Browser, Open Source, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • As Usual, Nice And Speedy!

    Thanks Mozilla!
    itanalyst2
  • RE: Mozilla updates Firefox; Fixes multiple vulnerabilities

    Since I use FF3b4, will this fix find its way into FF3b5?
    fatman65535
  • find it's way into ff3b5

    I don't think ff3 is affected.
    gaurdro
  • RE: Mozilla updates Firefox; Fixes multiple vulnerabilities

    After Apple's several software updates last week,
    Firefox has started hanging regularly on both my
    Mac notebooks. Strangely, it does not happen on
    the Mac Pro. Nobody else seems to have
    mentioned it, but I wonder if there is an
    interaction with the trackpads. For me, Firefox
    has become unusable on the notebooks.
    jorjitop
    • I've had FF issues on my Mac Pro

      Firefox started misbehaving for me on my Mac Pro a while ago. One of the Firefox updates several versions ago started the problem. Initially, I thought turning off the anti-phishing solved the issue, but it's gotten worse. I started using Safari exclusively on my Mac Pro, and I'm a lot happier with it since version 3.
      t_mohajir
      • Should be reported

        You two should let Mozilla know about these problems. It doesn't take long, they have a quick feedback page here: http://hendrix.mozilla.org/
        Greenknight_z
  • RE: Mozilla updates Firefox; Fixes multiple vulnerabilities

    Yes, I just updated with the Security fix yesterday in my Home PC's Firefox 2.

    They have now resolved most security vulnerability issues. Good work from Firefox Team and thanks for the news so that people can see that there are some fixes in Firefox and update their browsers automatically once they open up the same.

    Jithendra
    JithendraG
  • RE: Mozilla updates Firefox; Fixes multiple vulnerabilities

    Just wondering when 3.0b4 is gonna be a real version>?????>>>>>Hmmmmmmmmmmm
    bikerpappy
    • RE: Just wondering when...

      June, I think, is the current plan for the Fx 3 release. There's one more beta to be released before that.
      Greenknight_z
  • RE: Mozilla updates Firefox; Fixes multiple vulnerabilities

    Well, Opera is still better
    ultimatebuster