Mozilla patches highly critical security flaws

Mozilla has released updates to its popular Firefox browser, its Thunderbird e-mail client, and its SeaMonkey application suite, aiming to address highly critical security flaws that could expose users' sensitive information.

Users are advised to update to version 3.0.5 of Firefox, which was released Tuesday. They are also advised to update to version 2.0.0.19 of Thunderbird and version 1.1.14 of SeaMonkey.

The vulnerabilities were found in earlier versions of Firefox 3, as well as in versions of Firefox 2.

According to a research note released Wednesday by security researcher Secunia:

Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system.

1. Errors in the layout and JavaScript engines can be exploited to corrupt memory and potentially execute arbitrary code.
2. An error when processing the "persist" XUL attribute can be exploited to bypass cookie settings and uniquely identify a user in subsequent browsing sessions.
3. Multiple errors can be exploited to bypass the same-origin policy, disclose sensitive information, and execute JavaScript code with chrome privileges.

One advisory addresses critical security flaws in all three programs (Firefox, Thunderbird, and SeaMonkey) that could arise from memory corruption and result in malicious attackers launching arbitrary code from users computers.

Mozilla also notes that another set of critical vulnerabilities in all three could redirect users from a legitimate site to a malicious one, where users' private data could be stolen. And a third set of critical flaws noted in all three could lead to the launching of arbitrary JavaScript within a different Web site.

[queticomn]

At least Mozilla doesn't waste any time patching the flaws in FireFox, in days. Where as micro$soft may take a month or more to release at patch at times. You would think after 8 versions of IE. they could get it right. The problem is IE. is so ingrained into windows.

[celticbrewer]

how do you know? It didn't state how long they know about the flaws.

And FireFox (by that name) may be on version 3, but it's core started a LONG time ago (mozilla, netscape, mosaic, etc..). I'm quite sure they've had more than 8 versions.

I'm a firefox user, but c'mon. Stop with the anti-M$ bull- No, they're not perfect, but neither is anyone else.

[Seaspray0]

The last IE patch was release yesterday for a flaw that was exposed only a few days before. No, it doesn't alway happen within a few days, but neither do patches for anyone else. The problem is you are ignorant of the facts.

[ittesi259]

The MS flaw was exposed a good 2 and a half weeks ago....CNET is just slow to report it....

[aka_tripleB]

If the flaw was in version 2, that means it's been there awhile. So don't go claiming Mozilla doesn't wast any time.

[ferretboy88]

PC mag and cnet reported this year that Microsoft fixed bugs faster than Apple and all the other companies.

[SVContrarian]

What do you mean Mozilla doesn't waste any time patching flaws? Get real. These flaws have been out there since this code shipped. And I see multiple critical flaws here. Time to take your heads out of the sand MSFT haters.

At least with Microsoft, I know they've got the resources to fix things. Once Google stops paying Firefox's bills, who's going to hunt down all those Firefox flaws?

I can hear the FOSS lovers crying out..."but the community will take care of me".

If that was working so well, why does Firefox need Google's $180M? http://news.cnet.com/8301-13739_3-9776759-46.html

In the future, likely 2 choices. Microsoft and Chrome. They've both got the cold, hard, capitalist cash needed to make a browser secure.

[Dalkorian]

Man, there is no combating that level of delusion. Just go tell the Bill you've done his bidding and hope he pays up on that kickback he's promised you.

IE is impossible to secure. Flat out impossible. If you don't understand why, you don't know half what you think you know about computers.

[mattumanu]

Dalkorian,

Saying what you just said, "IE is impossible to secure", in comment on a story about Mozilla patching security flaws makes you look pretty damned stupid, don't you think?

[drummer51689]

When the time comes that Google stops paying Mozilla... Mozilla will be able to take care of themselves because more companies will want to support and donate to them for making a well-known product. They will have plenty of support from companies in the future... and anyways Firefox will be very popular by then and have a huge market share.

drummer

[Seaspray0]

I could wish for that to be true, drummer, but neither you, nor I can see into the future like that. As for market share, they've already achieved the "huge" part to a good degree. Anything other than that... well you risk making yourself look like a fool should it not come to pass.

[Dalkorian]

Maybe he has a crystal ball we don't have Seaspray0. Besides, FF was around before Google started supporting them so I doubt if it's much of a stretch to claim they'll still be around if the Google bucks dry up. But you're right - no one knows the future. Except our crystal ball studying folks, of course.
;-)

[4score20]

drummer wrote; "... and anyways Firefox will be very popular by then and have a huge market share. "

Man, I just had a 90's flashback to Netscape. Trippy.

[ParellelSpider]

I wonder where Penguinisto is. He might have locked himself in a fallout shelter "Oh no! Firefox has flaws!!!!! THE WORLDS GOING TO END!!!!" lol. Or he's just going to pretend this article doesn't exist.

[ferretboy88]

He is at the comic book show with his parents. They let him leave the basement today,

[Seaspray0]

Yes, where is the penguin? I want to pester him some more about backing up his lies. It's been a week now and he still hasn't found that "any 13 yr old" who can write a script that cracks windows. It's not like they didn't have plenty of chances at the last pawn to own contest where vista was left standing. You've made the claim more than once, penguin. I just want you to either back it up or admit to the BS you've been spreading.

[Dalkorian]

Wow you trolls are brutal. Read my lips [1], ALL SOFTWARE HAS FLAWS BECAUSE IT'S WRITTEN BY HUMANS WHO ARE FLAWED.

Some software is just more flawed by design than others. Not mentioning names here (shouldn't have to), just pointing out a fact.

[1] Please don't bother to point out the ridiculousness of me asking you to read my lips on a blog. Try to have a sense of humor instead.

[ParellelSpider]

Dalkorian I'm not saying that IE isn't flawed, I'm mearly pointing out how Penguinisto seems to think that all MS software is crap and that FF is godly and can't be compromised. Over the past little while Penguin has been saying on all the IE articles that firefox is all high and mighty and now that a major security flaw has been found in it he's nowhere to be found.

I agree with you that all software will be flawed in some way or another but I'm pointing out a troll here (since he only seems to post negativly on the MS articles).

[Vegaman_Dan]

Penguinisto is quick to tell everyone that the simple solution to avoid all network security issues with a browser is simply not to use Internet Explorer- err, I mean Firefox, um, perhaps that was Safari- Opera? What was the browser that was perfect again? Lynx?

[tm_anon]

There will always be alternatives to IE, good ones, more secure ones. Even with all of the problems reported for FF, I'm still seeing far fewer real world problems using it than I ever saw using IE. The differences in the flaws are what make FF more viable as a secure browser than IE. As for Chrome, get a clue. Google is the biggest security risk with Chrome. From day one, they were collecting user data, sending it to themselves for use. The hackers would only have to do a hack one time, no need to get onto your machine when Google has all the data they would ever want in one conveniently located area. I'm currently using Flock because of the openness I've seen in the Forums. Someone brings up a problem, a staff member is right there, comments, asks questions about the problem, all to make the browser the absolute best it can possibly be. I still won't run a browser on my machine without having two forms of antivirus protection, but otherwise, it's the most secure browser I've ever used and, because of the many many deals made with other companies and because of how the integration into the browser has been handled, it won't be going anywhere because of lack of funding. The future of browsing isn't in a browser that can't even handle software from the same company, it's not in a browser that's so integrated into an OS that one single vulnerability could cripple your entire system, it's in a browser that runs well and pulls funding from various sources.

[Savencash1]

Let me check my wallet...yep there it is...my Security+ certified card. Let me make this real simple...Anything, and I do me anything can have a vulnerability that someone will exploit. IE gets attacked for 2 reasons...they are sloppy with their code and they are the largest browser and therefore the biggest target.
As long as the Microsoft bandwagon enjoys a 90% market share they will be every crackers target.

[bmoore8888]

I don't know about how well the flaws in FF have been patched, but since the update it stopped working! It opens ok but you can't click on anything. It's (not responding)!!!

[Seaspray0]

Your issue seems to be an isolated incident or more people would have reported the same. This leads me to believe you may have had a file corrupted on the hard drive. I can suggest removing FF, reinstalling it, then bringing it up to date with patches again. This process has worked for me in the past when a client computer has problems with any particular application.

[JCPayne]

That's what I love about Mozilla. All you have to do is remind them about a flaw and the community will come together and release a patch in a few days... Unlike other's out there that may leave you without a patch for a month or so and you have to hope you don't get hit between the time of the announcement and the patch. WAY TO GO MOZILLA!

[BriRedd]

bmoore8888 isn't alone. It seems that FF fixed one problem, but created others. After updating, none of my bookmarks work. I looked into it and found that this is a known and growing issues with this new update (check their support page). The moral of this story is that all software is software and can / will have problems.

[williamkidd]

I haven't seen anywhere to get Thunderbird 2.0.0.19 that is listed as the fix in the Mozilla links from Dawn's article. The Thunderbird download page still lists 2.0.0.18 as the newest released version.