Firefox updates include a dozen security fixes

On Wednesday, Mozilla released Firefox 3.0.4 (download for Windows and Mac) and Firefox 2.0.0.18 to address a dozen security flaws, half of which the browser maker ranks as critical. Among the critical is one that could allow an attacker privilege escalation after a session restore. Another could allow arbitrary code to execute with compromised Flash media files.

The updates are pushed automatically to current users and will take effect the next time the browser is restarted. Updates will soon no longer be available for users of Firefox 2; the update is a security update only. Current users of Firefox 2 are encouraged to upgrade by manually downloading Firefox 3 as soon as possible.

MFSA 2008-55: Critical
A crash and remote code execution is possible in nsFrameManager. This vulnerability can be exploited by modifying certain properties of a file input element before it has finished initializing. Details can be found in CVE-2008-5021

MFSA 2008-54: Critical
There's a buffer overflow in http-index-format parser as a result of the way Mozilla parses the http-index-format MIME type. Mozilla says by sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim's computer. Details can be found in CVE-2008-0017.

MFSA 2008-53: Critical
Mozilla says the browser's session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Details can be found in CVE-2008-5019.

MFSA 2008-52: Critical
Mozilla developers identified and fixed several stability bugs which may cause crashes in the browser engine used in Firefox and other Mozilla-based products. Details can be found in CVE-2008-5016 and CVE-2008-5017

MFSA 2008-50: Critical
Mozilla says by tampering with the window.__proto__.__proto__ object, a remote attacker can cause the browser to place a lock on a non-native object, leading to a crash and possible execution of arbitrary code. Details can be found in CVE-2008-5014

MFSA 2008-49: Critical
Mozilla says a SWF file which dynamically unloads itself from an outside JavaScript function can cause the browser to access a memory address no longer mapped to the Flash module, resulting in a crash. This crash could be used by an attacker to run arbitrary code on a victim's computer. Details can be found in CVE-2008-5013.

MFSA 2008-48: High
Mozilla says the canvas element in Firefox could be used in conjunction with an HTTP redirect to bypass same-origin restrictions and gain access to the content in arbitrary images from other domains. This vulnerability could be used by an attacker to steal private information from a victim who is logged into a website that stores the data in images. Details can be found in CVE-2008-5012

MFSA 2008-57: High
Mozilla says the -moz-binding CSS property can be used to bypass security checks which validate codebase principals. Details can be found in CVE-2008-5023.

MFSA 2008-56: High
Mozilla says the same-origin check in nsXMLHttpRequest::NotifyEventListeners() can be bypassed. This vulnerability could be used to execute JavaScript in the context of a different Web site. Details can be found in CVE-2008-5022.

MFSA 2008-51: Moderate
Mozilla says URIs are given chrome privileges when opened in the same tab as a chrome page or privileged about: page. This vulnerability could be used by an attacker to run arbitrary JavaScript with chrome privileges. Details can be found in CVE-2008-5015.

MFSA 2008-47: Moderate
Mozilla says locally saved .url shortcut files could be used to read information stored in the local cache. Details can be found in CVE-2008-4582.

MFSA 2008-58: Low
There's a parsing error in E4X default namespace. The error was caused by quote characters in the namespace not being properly escaped. Details can be found in CVE-2008-5024.

[BetterthanurX]

Updates AREN"T pushed to Mac users automatically you have to do it manually everytime a new update is out. Highly annoying!

[Pete Bardo]

I guess not everything on a Mac is super-cool! But I had to request the update on my Windoze machine too.

[Dalkorian]

Updates are pushed out to users eventually, to all platforms. That doesn't mean that YOU will see the update prompt immediately though, it will come when the browser checks again. I get automatic updates to Firefox on OSX all the time, so I know it works.

[Eric-ak]

I have used Firefox for four years and have always been advised that I had received an update and it would be installed on my next startup. No choice in the matter.
The update they just forced on me has screwed up my web browsing substantially.
I can't get Gmail to load in the "standard" configuration.
I can't post in a forum I normally contribute to.
I can't send p.m.'s within a forum.
No idea what else it has screwed up, and I can't find any firewall processes that are blocking Firefox.

When I switch to Internet Explorer, no problem with any web pages.

This is the first time I've had a problem with Firefox. It's not worth the hassle trying to spend hours looking for a non-techspeak explanation of how to get the program to operate as it once did. I really won't know if there's any disadvantage to going back to IE until I encounter something unusual, but for now I'm done with Firefox and can't really imagine why I should fool with it again. If the updates aren't optional for PC users, this will probably happen again if I somehow convince myself to try Firefox again.

[mementh]

sounds like a problem I had.. get the user agent switcher plugin and make sure its set to firefox and you should be ok..

It sounds like your using IE's user agent string and the servers are sending IE optimized code that is non standard and firefox is choking on it.

[Dalkorian]

by mementh November 14, 2008 7:18 PM PST
It sounds like your using IE's user agent string and the servers are sending IE optimized code that is non standard and firefox is choking on it.
----------------------------------------------------------
As every other decent thing on this planet does with IE code.

[MafiaPenguin]

It's 2.0.0.18, not 2.0.18.
You forgot a zero.

[gp2792]

No more updates to Firefox 2? did I read that correctly? does that include security updates?

[clajdc]

Firefox 3.0.3 is buggy and slow-slow -slow. Can't even print anything with Firefox. i had to go to Safari and go to the same web site and print was fine. Now i get an update from Cnet web page and I down load it and an EXE file. I CAN'T open an EXE on a MAC! I am sorry I upgrade to 3.0.3 from my 1.9 what ever.

[mementh]

went to download.com and searched under mac..
it re-directed me to the firefox page here
[url]http://www.mozilla.com/en-US/products/download.html?product=firefox-3.0.4&os=osx&lang=en-US[/url]

[jimhadden]

I accepted the recent "improvement" of FireFox 3.0.4 and was greeted by a laguage that featured "Meeste besoek" as the first heading in the Boekmerke bar. I stumbled through the menu to be taken to
http://www.mozilla.com/en-US/firefox/all.html, which contains a list of all current downloads? ¿Guess which was first? Afrikaans! Ahah, THAT was what WAS pushed at me on two machines.

I hope that selecting The US English localixzation of FF 3.0.5, which wasn't (or waasn't) pushed at me, I'll be vree of all those vowels.