Mozilla patches three Firefox security vulnerabilities

Mozilla on Monday released Firefox version 2.0.0.10. The update addresses three high-impact security vulnerabilities. Two concern cross-site request forgeries, which can be used to steal personal information while visiting certain sites, and one concerns memory corruption.

The update is being pushed out to all current Firefox users. New users can download the current Firefox release from the Mozilla site (or download the English versions for Windows or Mac from CNET Download.com).

The first cross-site request forgery vulnerability could allow an attacker to generate a fake HTTP referer header by exploiting a timing condition when setting the window location property.

Mozilla says the referer header is supposed to reflect the address of the content that initiated the script. "Instead, the referer was set to the address of the window (or frame) in which the script was running, and this vulnerability arises from that tiny difference." It credits Gregory Fleischer with reporting the issue.

The second cross-site request forgery vulnerability concerns the JAR ZIP format, which enables Web sites to load pages packaged in ZIP archives containing signatures in Java archive format.

According to Mozilla, a Beford.org blogger noted that redirects confused Mozilla browsers about the true source of the JAR content: it was "wrongly considered to originate with the redirecting site rather than the actual source. This meant that an XSS attack could be mounted against any site with an open redirect, even if it didn't allow uploads."

A proof of concept demonstrates how to exploit this vulnerability to steal a user's Gmail contact list. Mozilla credits security researchers Jesse Ruderman and Petko D. Petkov with reporting the issue.

The final update concerns memory corruption, and Mozilla says there are three specific fixes that improve the stability of Firefox. The concern here is that with enough effort, some of these memory crashes could be exploited to run arbitrary code.