Firefox update fixes a dozen flaws
Update spans Firefox 2 and Firefox 3 and will be pushed out to current users to take affect the next time the browser relaunches.
Mozilla released Firefox 2.0.017 and Firefox 3.0.2, updated versions of its browser, on Wednesday to address a dozen security vulnerabilities. Four are ranked by Mozilla as critical, one high, two moderate, and the rest of the patches are considered low priority. About half do not apply to Firefox 3.
The updates are pushed automatically to current users and will take effect the next time the browser is restarted. Current users of Firefox 2 are encouraged to upgrade by manually downloading Firefox 3 as soon as possible.
Titled "Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)"--Mozilla says under certain circumstances memory corruption could be exploited to run arbitrary code. The company credits Drew Yao of Apple Product Security and David Maciejak for reporting the vulnerability.
Titled "Privilege escalation via XPCnativeWrapper pollution"--Mozilla says this fix includes "a series of vulnerabilities which can pollute XPCNativeWrappers and allow arbitrary code run with chrome privileges." The company credits Mozilla security researcher moz_bug_r_a4 for reporting the vulnerability.
Titled "Privilege escalation using feed preview page and XSS flaw"--Mozilla says this fixes "a series of vulnerabilities in feedWriter which allow scripts from page content to run with chrome privileges." The company credits Mozilla security researcher moz_bug_r_a4 for reporting this vulnerability. Firefox 3 is not affected by this issue.
Titled "UTF-8 URL stack buffer overflow"--Mozilla says "a specially crafted UTF-8 URL in a hyperlink...could overflow a stack buffer and allow an attacker to execute arbitrary code." The company credits Mozilla security researcher Justin Schuh and Tom Cross of the IBM X-Force and Peter Williams of IBM Watson Labs for reporting this vulnerability. Firefox 3 is not affected by this issue.
Titled "nsXMLDocument::OnChannelRedirect() same-origin violation"--Mozilla says the same-origin check in nsXMLDocument::OnChannelRedirect() could be bypassed and could be used to execute JavaScript in the context of a different Web site. The company credits Mozilla security researcher moz_bug_r_a4 for reporting this vulnerability. Firefox 3 is not affected by this issue.
Titled "BOM characters stripped from JavaScript before execution"--Mozilla says certain BOM characters are stripped from JavaScript code before it is executed and could lead to code being executed. The company credits Microsoft developer Dave Reed and security researcher Gareth Heyes for reporting the vulnerability.
Titled "resource: traversal vulnerabilities"--Mozilla says the restrictions imposed on local HTML files could be bypassed using the resource: protocol, allowing an attacker to read information about the system and prompt the victim to save the information in a file. The company credits Mozilla developer Boris Zbarsky and Georgi Guninski for reporting this vulnerability.
Titled "Forced mouse drag"--Mozilla says the vulnerability allows an attacker to move the content window while the mouse is being clicked, causing an item to be dragged rather than clicked-on possibly forcing a user to download a file or perform other drag-and-drop actions. The company credits Mozilla developer Paul Nickerson for reporting this variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu.
Titled "XBM image uninitialized memory reading"--Mozilla says a bug in the XBM decoder allowed random small chunks of uninitialized memory to be read. The company credits Billy Hoffman with reporting this vulnerability. Firefox 3 is not affected by this issue.