Tag Archives: Software Patches

FireFox 3.0.2 Released – 11 Bugs Fixed – Update Today!

The latest update of FireFox version 3.0.2 now available for download includes patches for 11 security deficiencies, many of them rated as critical by Mozilla Corporation.

If you are still using FireFox version 2, then you need to update this version as well, since the latest release of this version includes 14 patches. A number of patches in version 2 are exclusive to this specific version.

Frankly, if you are still using version 2 you need to take the plunge and update to version 3 now. There is no guarantee that Mozilla will continue to offer support for version 2.

A number of the vulnerabilities in version 3 were serious, and included stability issues related to graphics rendering, layout and JavaScript engines. Each has the potential to cause browser crashes could potentially leave the user open to exploitation by malicious code.

The latest FireFox security advisory lists the following vulnerabilities as having been patched.

MFSA 2008-42: Critical

Titled “Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)”–Mozilla says under certain circumstances memory corruption could be exploited to run arbitrary code.

MFSA 2008-41: Critical

Titled “Privilege escalation via XPCnativeWrapper pollution”–Mozilla says this fix includes “a series of vulnerabilities which can pollute XPCNativeWrappers and allow arbitrary code run with chrome privileges.”

MFSA 2008-39: Critical

Titled “Privilege escalation using feed preview page and XSS flaw”–Mozilla says this fixes “a series of vulnerabilities in feedWriter which allow scripts from page content to run with chrome privileges.”

MFSA 2008-37: Critical

Titled “UTF-8 URL stack buffer overflow”–Mozilla says “a specially crafted UTF-8 URL in a hyperlink…could overflow a stack buffer and allow an attacker to execute arbitrary code.

MFSA 2008-38: High

Titled “nsXMLDocument::OnChannelRedirect() same-origin violation”–Mozilla says the same-origin check in nsXMLDocument::OnChannelRedirect() could be bypassed and could be used to execute JavaScript in the context of a different Web site.

MFSA 2008-43: Moderate

Titled “BOM characters stripped from JavaScript before execution”–Mozilla says certain BOM characters are stripped from JavaScript code before it is executed and could lead to code being executed.

MFSA 2008-44: Moderate

Titled “resource: traversal vulnerabilities”–Mozilla says the restrictions imposed on local HTML files could be bypassed using the resource: protocol, allowing an attacker to read information about the system and prompt the victim to save the information in a file.

MFSA 2008-40: Low

Titled “Forced mouse drag”–Mozilla says the vulnerability allows an attacker to move the content window while the mouse is being clicked, causing an item to be dragged rather than clicked-on possibly forcing a user to download a file or perform other drag-and-drop actions.

MFSA 2008-45: Low

Titled “XBM image uninitialized memory reading”–Mozilla says a bug in the XBM decoder allowed random small chunks of uninitialized memory to be read.

It is highly recommended that you update immediately on the Mozilla site, or by clicking on Help – Check for Updates in FireFox.

1 Comment

Filed under Browsers, Firefox, Freeware, Geek Software and Tools, Interconnectivity, Internet Safety, Internet Safety Tools, Online Safety, Software, Windows Tips and Tools

Firefox 2.0.0.10 Fixes Several Flaws

A new version of Firefox was released today.

You can upgrade through the Help-Check for Updates feature.

The new version addresses three vulnerabilities, all rated “High,” which Mozilla defines as “Vulnerability can be used to interact gather sensitive data from other sites the user is visiting or inject data or code into those sites, requiring no more than normal browsing actions.” This is less serious than Critical, which entails remote code execution.

The three vulnerabilities are:

* 2007-37: jar: URI scheme XSS hazard: Several vulnerability scenarios are possible with the jar: URI scheme, which is intended to support signed pages in a jar file. Henceforth, these files may only be served with a Content-Type header of application/java-archive or application/x-jar.

* 2007-38: Memory corruption vulnerabilities: Three bugs can result in memory corruption that can cause program crashes. It may be possible that these could result in code execution, but this has not been demonstrated.

* 2007-39: Referer-spoofing via window.location race condition: It’s possible to fake the referer field by exploiting a timing issue in window.location. This could lead to a forgery attack in some cases.

Comments Off on Firefox 2.0.0.10 Fixes Several Flaws

Filed under Firefox