Mozilla patches three Firefox security vulnerabilities

Version 2.0.0.10 addresses two high-impact cross-site request forgeries and one memory corruption vulnerability.

Mozilla on Monday released Firefox version 2.0.0.10. The update addresses three high-impact security vulnerabilities. Two concern cross-site request forgeries, which can be used to steal personal information while visiting certain sites, and one concerns memory corruption.

The update is being pushed out to all current Firefox users. New users can download the current Firefox release from the Mozilla site (or download the English versions for Windows or Mac from CNET Download.com).

The first cross-site request forgery vulnerability could allow an attacker to generate a fake HTTP referer header by exploiting a timing condition when setting the window location property.

Mozilla says the referer header is supposed to reflect the address of the content that initiated the script. "Instead, the referer was set to the address of the window (or frame) in which the script was running, and this vulnerability arises from that tiny difference." It credits Gregory Fleischer with reporting the issue.

The second cross-site request forgery vulnerability concerns the JAR ZIP format, which enables Web sites to load pages packaged in ZIP archives containing signatures in Java archive format.

According to Mozilla, a Beford.org blogger noted that redirects confused Mozilla browsers about the true source of the JAR content: it was "wrongly considered to originate with the redirecting site rather than the actual source. This meant that an XSS attack could be mounted against any site with an open redirect, even if it didn't allow uploads."

A proof of concept demonstrates how to exploit this vulnerability to steal a user's Gmail contact list. Mozilla credits security researchers Jesse Ruderman and Petko D. Petkov with reporting the issue.

The final update concerns memory corruption, and Mozilla says there are three specific fixes that improve the stability of Firefox. The concern here is that with enough effort, some of these memory crashes could be exploited to run arbitrary code.

About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    HOT ON CNET

    Looking for an affordable tablet?

    CNET rounds up high-quality tablets that won't break your wallet.