Numerous holes in Firefox 3.0 and 3.5 fixed
The new versions remedy a total of seven memory flaws that may be exploitable and have therefore been categorised as critical just to be on the safe side. The developers also took care of a potential spoofing vulnerability in the representation of URLs with certain unicodes. Version 3.0.14 also fixes a flaw in the installation / un-installation of PKCS#11 modules for access to cryptographic tokens. The dialogues were apparently not clear enough, allowing attackers to get victims to install a manipulated module.
The new versions now also warn users if they are using outdated versions of the Flash plug-in. Most users surf with vulnerable versions of Adobe Flash and as a result, as security provider Trusteer recently discovered, are excellent targets for criminals. The addition of Flash version checking may soon rectify this situation. At any rate, the Mozilla Foundation recommends that users of Firefox 3.0.x finally switch to 3.5.x. Support for the older version ends in January 2010.
- Mozilla to protect Adobe Flash users, a report from The H.
- 80 per cent of users surf with vulnerable versions of Flash, a report from The H.
- Security Advisories for Firefox 3.5, from Mozilla.
- Security Advisories for Firefox 3.0, from Mozilla.