Mozilla plugs 10 more Firefox holes
![ryan-naraine.jpg](https://www.zdnet.com/a/img/resize/58705b1ab848cb0209d7d7d504dffaab176d93aa/2014/07/22/4b4e2273-1175-11e4-9732-00505685119a/ryan-naraine.jpg?auto=webp&fit=crop&frame=1&height=192&width=192)
![Mozilla plugs 10 more Firefox holes](https://www.zdnet.com/a/img/2014/10/04/1379458d-4b66-11e4-b6a0-d4ae52e95e57/firefox.png)
The latest Firefox 2.0.0.8 update includes another two patches rated "critical" because of the risk of code execution.
The first high-priority issue (MFSA 2007-35) swats a bug that allows attackers to execute malicious JavaScript code with the rights of the local user.
[It is] possible to use the
Script
object to modify XPCNativeWrappers in such a way that subsequent access by the browser chrome -- such as by right-clicking to open a context menu -- can cause attacker-supplied javascript to run with the same privileges as the user. This is similar to MFSA 2007-25 fixed in Firefox 2.0.0.5
Mozilla also released (MFSA 2007-29) to fix two vulnerabilities found that could cause browser crashes "with evidence of memory corruption."
The latest update, which now supports Mac OS X Leopard, includes another fix (MFSA 2007-36) for the URI protocol handling issue that has haunted Windows users all year; a bug (MFSA 2007-34) that makes it possible to steal files through the SFTP protocol and a flaw (MFSA 2007-33) that allows XUL pages to hide the window titlebar.
It also fixes a file input focus stealing vulnerability (MFSA 2007-32); a browser digest authentication request splitting flaw (MFSA 2007-31) and an onUnload Tailgating issue MFSA 2007-30 that can lead to spoofing attacks.