In association with heise online

24 September 2008, 11:06

Firefox 3.0.2 eliminates security holes

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Firefox's developers have released Firefox version 3.0.2 which eliminates several security problems. These are five bugs in the layout, rendering and JavaScript engine, two of which the developers classified as critical.

One critical bug related to crashes in the browser which showed signs of memory corruption, leading the developers to suspect there may be a possibility of arbitrary code execution. The other critical issue was a corruption of the wrapper code which could allow an attacker to run code with the privileges of the browser, and in effect, those of the user.

Two other vulnerabilities were classed as moderate; a directory traversal issue with resource: protocol allowed local files to be read and a JavaScript parsing issue which offered a vector for XSS attacks.

One low class issue was also resolved. This involved a technique which moved the content window as a user clicked on something in the window, turning the operation from a click into a drag and drop. This could potentially be used to trick users into downloading files.

Firefox 3.0.2 is already available via automatic update and to download on the Firefox site. The new release also contains a number of bug fixes for stability and layout, and updates to some international languages supported. Also fixed is an issue where the back and forward buttons could disappear from the toolbar.

SeaMonkey and Thunderbird are also affected by the problems. SeaMonkey version 1.1.2, is now available with the vulnerabilities fixed. Thunderbird version is said to also have the problems resolved, but that has not appeared as yet on the Mozilla Thunderbird site; Thunderbird releases tend to lag behind Firefox updates by a few days. Although the mail client has code affected by the problems, this is mitigated by the fact that JavaScript is disabled by default, removing the attack route, and the Mozilla Foundation advise that the setting should be left that way for more secure mail.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit