In association with heise online

10 September 2009, 11:18

Numerous holes in Firefox 3.0 and 3.5 fixed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Mozilla Foundation has released Firefox versions 3.0.14 and 3.5.3, which close several critical security holes in previous versions. Attackers were able to exploit a flaw in FeedWriter to execute JavaScript code in a victim's browser with Chrome privileges, the highest rights code can run at within the browser. In addition, a flaw in the management of columns of a XUL tree element to manipulate pointers can be exploited to allow the execution of injected code. Victims need only visit a specially crafted website for the attack to take place.

The new versions remedy a total of seven memory flaws that may be exploitable and have therefore been categorised as critical just to be on the safe side. The developers also took care of a potential spoofing vulnerability in the representation of URLs with certain unicodes. Version 3.0.14 also fixes a flaw in the installation / un-installation of PKCS#11 modules for access to cryptographic tokens. The dialogues were apparently not clear enough, allowing attackers to get victims to install a manipulated module.

The new versions now also warn users if they are using outdated versions of the Flash plug-in. Most users surf with vulnerable versions of Adobe Flash and as a result, as security provider Trusteer recently discovered, are excellent targets for criminals. The addition of Flash version checking may soon rectify this situation. At any rate, the Mozilla Foundation recommends that users of Firefox 3.0.x finally switch to 3.5.x. Support for the older version ends in January 2010.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit