Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Mozilla Fixes Firefox Flaws, Misses One
#1
Mozilla today updated Firefox 2.0 for the first time, but the upgrade lacks at least one fix for a well known and already disclosed flaw in the open source browsers.

In late November, a Password Manager flaw was reported in Firefox, leaving users at risk for having their log-in information misappropriated by malicious sites.

The flaw allows a maliciously crafted page to auto-fill a form with credentials intended for another site.

There is no warning in Firefox 2.0 or previous versions that the credentials are being pulled for the wrong site and submitted to a third party.

As of 5 p.m. EST today, the Bugzilla entry for the flaw is still open.

However, Firefox 2.0.0.1 does feature fixes for five critical security flaws that could have left users at risk to arbitrary code execution and other attacks. The fixes are also reflected in Mozilla's legacy 1.5.x browser in the new 1.5.0.9 release.

Mozilla Foundation Security Advisory 2006-68 fixes flaws that deal with crashes that hackers can use to corrupt memory for malicious purposes.

"As part of the Firefox 2.0.0.1 and 1.5.0.9 update releases we fixed several bugs to improve the stability of the product," the Mozilla advisory states. "Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort."

The Mozilla advisory cites three separate Common Vulnerabilities and Exposures (CVE) identifications (CVE-2006-6497, CVE-2006-6498 and CVE-2006-6499).

Another critical flaw fixed in the new Firefox release addresses a separate crash issue when using a certain CSS (define)cursor property on Windows.

According to the advisory, a miscalculated size during conversion of the image to a Windows bitmap can result in a heap buffer overflow which could be used to compromise the victim's computer.

Crash issues aren't the only critical flaws fixed.

Mozilla Foundation Security Advisory 2006-70 discusses a fix for a JavaScript flaw that could have led to privilege escalation.



Source: http://www.internetnews.com/dev-news/art...hp/3650106
~ FFW
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Mozilla Firefox Features Abigail 4 945 11-01-2010, 08:30 AM
Last Post: Arеs
  Mozilla Rewriting A Lot Of Code For Upcoming Firefox V3 - InformationWeek Forum Bot 2 1,156 10-18-2007, 08:54 AM
Last Post: Jougukny
  Mozilla Firefox 1.5 reaches End of Life - Geekzone Forum Bot 0 635 06-04-2007, 07:25 AM
Last Post: Forum Bot
  Mozilla Firefox 2.0.0.4 Release Candidate 3 Available FirefoxWiz 0 596 05-25-2007, 05:33 AM
Last Post: FirefoxWiz
  Mozilla extends Firefox support to mid-May FirefoxWiz 0 579 04-25-2007, 01:35 PM
Last Post: FirefoxWiz

Forum Jump:


Users browsing this thread: 1 Guest(s)