Business

Mozilla zaps Firefox security bugs

Mozilla has rolled out a major security update to fix a total of seven vulnerabilities in its flagship Firefox browser. The batch of patches apply to users of Firefox 1.5.0.10 and Firefox 2.0.0.2 (Windows, Mac, and Linux).

Written by Ryan Naraine, Contributor Feb. 23, 2007 at 3:57 a.m. PT

Mozilla has rolled out a major security update to fix a total of seven vulnerabilities in its flagship Firefox browser.

The batch of patches apply to users of Firefox 1.5.0.10 and Firefox 2.0.0.2 (Windows, Mac, and Linux) and are available as a free download at getfirefox.com.

"Due to the security fixes, we strongly recommend that all Firefox users upgrade to these latest releases," said Mike Schroepfer, vice president of engineering at Mozilla.

The patches will be released over the next 24 to 48 hours via the automatic update mechanism in Firefox 1.5.0.x an d Firefox 2.0.0.x. Starting later today, users can the upgrade from the "Check for Updates" feature in the Help menu.

Note: Support for Firefox 1.5.0.x ends on April 24, 2007. After that, Mozilla will no longer ship security and stability updates for older browser versions]

Today's update covers these seven security bugs:

MFSA 2007-07: Embedded nulls in location.hostname confuse same-domain checks

MFSA 2007-06: Mozilla Network Security Services (NSS) SSLv2 buffer overflow

MFSA 2007-05: XSS and local file access by opening blocked popups

MFSA 2007-04: Spoofing using custom cursor and CSS3 hotspot

MFSA 2007-03: Information disclosure through cache collisions

MFSA 2007-02: Improvements to help protect against Cross-Site Scripting attacks

MFSA 2007-01: Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

Also see: Is the the month of Firefox bugs?

Editorial standards

Show Comments