The most serious issue could lead to remote code execution attacks, according to warning from the open-source browser software maker. In other scenarios, the bugs could cause denial-of-service or URL spoofing attacks.
- MFSA 2009-67 (Critical) -- An integer overflow in the Theora video library. A video's dimensions were being multiplied together and used in particular memory allocations. When the video dimensions were sufficiently large, the multiplication could overflow a 32-bit integer resulting in too small a memory buffer being allocated for the video. An attacker could use a specially crafted video to write data past the bounds of this buffer, causing a crash and potentially running arbitrary code on a victim's computer.
- MFSA 2009-66 (Critical) -- Several bugs in liboggplay which posed potential memory safety issues. The bugs which were fixed could potentially be used by an attacker to crash a victim's browser and execute arbitrary code on their computer.
- MFSA 2009-65 (Critical) -- Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes -- four documented vulnerabilities -- showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
- MFSA 2009-68 (High Risk) -- Mozilla's NTLM implementation was vulnerable to reflection attacks in which NTLM credentials from one application could be forwarded to another arbitary application via the browser. If an attacker could get a user to visit a web page he controlled he could force NTLM authenticated requests to be forwarded to another application on behalf of the user.
- MFSA 2009-70 (Moderate) -- A content window which is opened by a chrome window retains a reference to the chrome window via the
window.openerproperty. Using this reference, content in the new window can access functions inside the chrome window, such as
window.opener. There may be add-ons which open potentially hostile web-content in this way, and combined with such an add-on the severity of this flaw could be upgraded to Critical.
- MFSA 2009-69 (Moderate) -- When a page loaded over an insecure protocol, such as http: or file:, sets its
document.locationto a https: URL which responds with a 204 status and empty response body, the insecure page will receive SSL indicators near the location bar, but will not have its page content modified in any way. This could lead to a user believing they were on a secure page when in fact they were not. Separately, a web page can set
- MFSA 2009-71 (Low Risk) -- The exception messages generated by Mozilla's
GeckoActiveXObjectdiffer based on whether or not the requested COM object's ProgID is present in the system registry. A malicious site could use this vulnerability to enumerate a list of COM objects installed on a user's system and create a profile to track the user across browsing sessions.
Mozilla is distributing the patches via the browser's built-in automatic update mechanism. End users (Mac, Windows and Linux) should apply the update urgently.