Mozilla has patched 10 vulnerabilities in Firefox 2.0 with update 220.127.116.11. In an update early Wednesday Firefox addressed the following:
- MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
- MFSA 2008-18 Java socket connection to any local port via LiveConnect
- MFSA 2008-17 Privacy issue with SSL Client Authentication
- MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
- MFSA 2008-15 Crashes with evidence of memory corruption (rv:18.104.22.168)
Of those six advisories, two were rated critical and two had a high impact. The vulnerabilities also impact Thunderbird and SeaMonkey. Secunia has compiled 10 CVE numbers for this update with the following recap:
Some vulnerabilities and weaknesses have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, conduct cross-site scripting and phishing attacks, and potentially compromise a user's system.
The CVEs addressed in the Firefox update include: CVE-2007-4879, CVE-2008-1195, CVE-2008-1233, CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237, CVE-2008-1238, CVE-2008-1240 and CVE-2008-1241.
The memory corruption crashes (MFSA 2008-15) were rated critical by Mozilla. Mozilla in its advisory said:
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
As for the high impact flaw the most interesting of the bunch was the Java socket connection via LiveConnect. Mozilla said in its advisory:
Security researcher Gregory Fleischer demonstrated that web content fetched via the jar: protocol can use Java via LiveConnect to open socket connections to arbitrary ports on the user's machine ("localhost"). The issue is caused by improper parsing of the content origin passed from the browser to the Java plugin. Such content was incorrectly evaluated to have a null host, assumed to be a local file, and was subsequently allowed permission to connect to the localhost. Sun has updated the Java Runtime Environment with a fix for this problem. Mozilla has also added a fix to LiveConnect to protect users who don't have the latest version of Java.
These patches have been pushed to Firefox users in an automatic update.