Firefox update fixes a dozen flaws

Mozilla released Firefox 2.0.017 and Firefox 3.0.2, updated versions of its browser, on Wednesday to address a dozen security vulnerabilities. Four are ranked by Mozilla as critical, one high, two moderate, and the rest of the patches are considered low priority. About half do not apply to Firefox 3.

The updates are pushed automatically to current users and will take effect the next time the browser is restarted. Current users of Firefox 2 are encouraged to upgrade by manually downloading Firefox 3 as soon as possible.

MFSA 2008-42: Critical

Titled "Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)"--Mozilla says under certain circumstances memory corruption could be exploited to run arbitrary code. The company credits Drew Yao of Apple Product Security and David Maciejak for reporting the vulnerability.

MFSA 2008-41: Critical

Titled "Privilege escalation via XPCnativeWrapper pollution"--Mozilla says this fix includes "a series of vulnerabilities which can pollute XPCNativeWrappers and allow arbitrary code run with chrome privileges." The company credits Mozilla security researcher moz_bug_r_a4 for reporting the vulnerability.

MFSA 2008-39: Critical

Titled "Privilege escalation using feed preview page and XSS flaw"--Mozilla says this fixes "a series of vulnerabilities in feedWriter which allow scripts from page content to run with chrome privileges." The company credits Mozilla security researcher moz_bug_r_a4 for reporting this vulnerability. Firefox 3 is not affected by this issue.

MFSA 2008-37: Critical

Titled "UTF-8 URL stack buffer overflow"--Mozilla says "a specially crafted UTF-8 URL in a hyperlink...could overflow a stack buffer and allow an attacker to execute arbitrary code." The company credits Mozilla security researcher Justin Schuh and Tom Cross of the IBM X-Force and Peter Williams of IBM Watson Labs for reporting this vulnerability. Firefox 3 is not affected by this issue.

MFSA 2008-38: High

Titled "nsXMLDocument::OnChannelRedirect() same-origin violation"--Mozilla says the same-origin check in nsXMLDocument::OnChannelRedirect() could be bypassed and could be used to execute JavaScript in the context of a different Web site. The company credits Mozilla security researcher moz_bug_r_a4 for reporting this vulnerability. Firefox 3 is not affected by this issue.

MFSA 2008-43: Moderate

Titled "BOM characters stripped from JavaScript before execution"--Mozilla says certain BOM characters are stripped from JavaScript code before it is executed and could lead to code being executed. The company credits Microsoft developer Dave Reed and security researcher Gareth Heyes for reporting the vulnerability.

MFSA 2008-44: Moderate

Titled "resource: traversal vulnerabilities"--Mozilla says the restrictions imposed on local HTML files could be bypassed using the resource: protocol, allowing an attacker to read information about the system and prompt the victim to save the information in a file. The company credits Mozilla developer Boris Zbarsky and Georgi Guninski for reporting this vulnerability.

MFSA 2008-40: Low

Titled "Forced mouse drag"--Mozilla says the vulnerability allows an attacker to move the content window while the mouse is being clicked, causing an item to be dragged rather than clicked-on possibly forcing a user to download a file or perform other drag-and-drop actions. The company credits Mozilla developer Paul Nickerson for reporting this variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu.

MFSA 2008-45: Low

Titled "XBM image uninitialized memory reading"--Mozilla says a bug in the XBM decoder allowed random small chunks of uninitialized memory to be read. The company credits Billy Hoffman with reporting this vulnerability. Firefox 3 is not affected by this issue.

[jeents]

Re: Firefox 3. I downloaded it on my Macbook and was impressed with its speed. However, when I went on line to check documents on my Insurance (USAA) and Credit Card (XX), I could not open the documents. I left Firefox installed and used Safari to do the same and Firefox automatically opened when I tried to view the documents. I had to uninstall Firefox to view those documents on line. I've never had that trouble with Safari before. <br />Any idea what it is and if Firefox is aware of it? <br />Thanks,<br />jeents

[goodspeed8701]

safari and ff both sux. google chrome is the worste i i know IE and opera are the way to go.

[skillingssucks]

[rolls eyes]

[zelrio]

You're a noob goodspeed

[Wikirk71]

perhaps u should go back to skool and lern to spellll for one. IE has done nothing but gotten worse over the years and doesn't even come close to FF capabilities when streaming audiio or video files. Especially video files. Just another case of M$ pushing their agenda onto the people. FF, Mozilla, and open source are the way to go...Break free of the chainz M$ has placed on your PC's.

[TrioBrothers]

Excuse me. Have you been sleeping all these years? How come you are still with IE anyway? <br /><br />Heard of drive-by malware that install itself automatically when one uses IE? Heard of people getting endless list of viruses when they use IE to browse? Heard of spyware that installs toolbars on IE? I can't believe you still have the heart to comment FireFox sucks! If you dare, try reinstall Windows XP from scratch, not even the SP1, SP2 or SP3 edition, and go on with the list of security updates IE has always had. Its plentiful, and its a heartache when you wait for them to be reinstalled again, not to mention downloading time.<br /><br />So far since I skipped away from IE to FireFox, I never had malware problems, except from friends who shared thumbdrives with me. Its impossible to say my antivirus or firewall were the cause of it since I had them long before I used FireFox. Never had to suffer freezes from loading pages except those that uses Java and Adobe Acrobat Reader. Only used IE for Windows Update, even in IE 7 I still has not recovered myself from trusting IE again till the security issues cooled down.<br /><br />Anyway, FireFox is my new baby for security and speed. Google Chrome is the next, though Opera and Safari are excellent browser, I disliked their interface else no other negative comment.

[amr_adn]

Firefox is one of the good browsers chrome has faster loading times but it lacks features

[Iris Hupka]

Could you tell me what the system requirement is to download Firefox 3. I have Windows Vista. Thanks

[andrew9123]

Firefox is compatible with Windows Vista. Here's the link to the requirements <br /><br />http://en-us.www.mozilla.com/en-US/firefox/system-requirements.html

[unknown unknown]

They're publish on the Mozilla website. If your computer can run Vista, you can run Firefox 3, Vista's minimum requirements are greater in most cases than Firefox 3's recommended system stats.

[zelrio]

Firefox is compatible with Vista

[TrioBrothers]

As expected, the security flaws were seen and updated. Guess you just have to stand by your reliable antivirus and firewall application to stay protected when a malware starts killing your machine. FireFox has been great, except I still kind of disliked the new address bar feature, that smartly predicts what website you are trying to visit. And the prefetch function? Nah, just got to off it everytime FireFox reinstalled.<br /><br />But I agree FireFox still needs to identify some web loading problems. I have had problems accessing Friendster where the page refreshes but is blanked out, since I has FireFox 2.