Get Smart about Business Spending
Firefox update fixes a dozen flaws
Mozilla released Firefox 2.0.017 and Firefox 3.0.2, updated versions of its browser, on Wednesday to address a dozen security vulnerabilities. Four are ranked by Mozilla as critical, one high, two moderate, and the rest of the patches are considered low priority. About half do not apply to Firefox 3.
The updates are pushed automatically to current users and will take effect the next time the browser is restarted. Current users of Firefox 2 are encouraged to upgrade by manually downloading Firefox 3 as soon as possible.
Titled "Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)"--Mozilla says under certain circumstances memory corruption could be exploited to run arbitrary code. The company credits Drew Yao of Apple Product Security and David Maciejak for reporting the vulnerability.
Titled "Privilege escalation via XPCnativeWrapper pollution"--Mozilla says this fix includes "a series of vulnerabilities which can pollute XPCNativeWrappers and allow arbitrary code run with chrome privileges." The company credits Mozilla security researcher moz_bug_r_a4 for reporting the vulnerability.
Titled "Privilege escalation using feed preview page and XSS flaw"--Mozilla says this fixes "a series of vulnerabilities in feedWriter which allow scripts from page content to run with chrome privileges." The company credits Mozilla security researcher moz_bug_r_a4 for reporting this vulnerability. Firefox 3 is not affected by this issue.
Titled "UTF-8 URL stack buffer overflow"--Mozilla says "a specially crafted UTF-8 URL in a hyperlink...could overflow a stack buffer and allow an attacker to execute arbitrary code." The company credits Mozilla security researcher Justin Schuh and Tom Cross of the IBM X-Force and Peter Williams of IBM Watson Labs for reporting this vulnerability. Firefox 3 is not affected by this issue.
Titled "nsXMLDocument::OnChannelRedirect() same-origin violation"--Mozilla says the same-origin check in nsXMLDocument::OnChannelRedirect() could be bypassed and could be used to execute JavaScript in the context of a different Web site. The company credits Mozilla security researcher moz_bug_r_a4 for reporting this vulnerability. Firefox 3 is not affected by this issue.
Titled "BOM characters stripped from JavaScript before execution"--Mozilla says certain BOM characters are stripped from JavaScript code before it is executed and could lead to code being executed. The company credits Microsoft developer Dave Reed and security researcher Gareth Heyes for reporting the vulnerability.
Titled "resource: traversal vulnerabilities"--Mozilla says the restrictions imposed on local HTML files could be bypassed using the resource: protocol, allowing an attacker to read information about the system and prompt the victim to save the information in a file. The company credits Mozilla developer Boris Zbarsky and Georgi Guninski for reporting this vulnerability.
Titled "Forced mouse drag"--Mozilla says the vulnerability allows an attacker to move the content window while the mouse is being clicked, causing an item to be dragged rather than clicked-on possibly forcing a user to download a file or perform other drag-and-drop actions. The company credits Mozilla developer Paul Nickerson for reporting this variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu.
Titled "XBM image uninitialized memory reading"--Mozilla says a bug in the XBM decoder allowed random small chunks of uninitialized memory to be read. The company credits Billy Hoffman with reporting this vulnerability. Firefox 3 is not affected by this issue.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
Any idea what it is and if Firefox is aware of it?
Thanks,
jeents
Heard of drive-by malware that install itself automatically when one uses IE? Heard of people getting endless list of viruses when they use IE to browse? Heard of spyware that installs toolbars on IE? I can't believe you still have the heart to comment FireFox sucks! If you dare, try reinstall Windows XP from scratch, not even the SP1, SP2 or SP3 edition, and go on with the list of security updates IE has always had. Its plentiful, and its a heartache when you wait for them to be reinstalled again, not to mention downloading time.
So far since I skipped away from IE to FireFox, I never had malware problems, except from friends who shared thumbdrives with me. Its impossible to say my antivirus or firewall were the cause of it since I had them long before I used FireFox. Never had to suffer freezes from loading pages except those that uses Java and Adobe Acrobat Reader. Only used IE for Windows Update, even in IE 7 I still has not recovered myself from trusting IE again till the security issues cooled down.
Anyway, FireFox is my new baby for security and speed. Google Chrome is the next, though Opera and Safari are excellent browser, I disliked their interface else no other negative comment.
http://en-us.www.mozilla.com/en-US/firefox/system-requirements.html
- by TrioBrothers September 29, 2008 10:05 PM PDT
- As expected, the security flaws were seen and updated. Guess you just have to stand by your reliable antivirus and firewall application to stay protected when a malware starts killing your machine. FireFox has been great, except I still kind of disliked the new address bar feature, that smartly predicts what website you are trying to visit. And the prefetch function? Nah, just got to off it everytime FireFox reinstalled.
- Like this Reply to this comment
-
(12 Comments)But I agree FireFox still needs to identify some web loading problems. I have had problems accessing Friendster where the page refreshes but is blanked out, since I has FireFox 2.