Firefox update fixes critical security vulnerabilities
The Mozilla project is distributing version 2.0.0.13 of its popular open source Firefox browser. This release fixes several critical vulnerabilities which could be exploited by attackers to inject malicious code or fake page content.
The browser's JavaScript engine contains several of the security vulnerabilities. Due to incorrect processing, attackers can execute external code with maximum privileges in the browser and also perform cross-site scripting (MFSA-2008-14 and MFSA-2008-15). Security advisory MSFA-2008-18 describes a vulnerability which allows Java applets to access any port on a local computer. According to the Mozilla security advisory, Sun has integrated a bug fix into the current version of Java Runtime, but the Mozilla programmers have also introduced countermeasures into their new version.
A security vulnerability allows attackers to fake a borderless popup from a background tab using crafted web pages and place it in front of the user's active tab. This could be used to spoof form elements and phish for data such as login data. Attackers can also circumvent the method used by some websites to protect against cross-site request forgery (CSRF) if server-side protection is based solely on referrer checking, as it is possible to fake the HTTP referrer (MSFA-2008-16). The Mozilla browser may reveal personal data if a user possesses a personal certificate which the browser presents automatically during SSL client authentication. According to security advisory MFSA-2008-17, following the update the browser asks the user before presenting the client certificate when it is requested by a website.
Most of the security vulnerabilities also affect the Thunderbird mail client and the Seamonkey browser suite. The security advisories refer to Thunderbird version 2.0.0.13 and Seamonkey 1.1.9, in which these bugs should be fixed. These versions are not yet, however, being distributed automatically. Firefox users should install the update without delay, as the vulnerabilities can be exploited using crafted web pages to inject trojans.
See also:
- Fixed in Firefox 2.0.0.13, overview of the security vulnerabilities fixed by the Mozilla development team
- JavaScript privilege escalation and arbitrary code execution, security advisory from the Mozilla development team
- Crashes with evidence of memory corruption (rv:1.8.1.13), security advisory from the Mozilla development team
- HTTP Referrer spoofing with malformed URLs, security advisory from the Mozilla development team
- Privacy issue with SSL Client Authentication, security advisory from the Mozilla development team
- Java socket connection to any local port via LiveConnect, security advisory from the Mozilla development team
- XUL popup spoofing variant (cross-tab popups), security advisory from the Mozilla development team
(mba)