Two critical holes in Firefox plugged
With versions 220.127.116.11 and 3.0.1, the developers plug two security holes in Firefox that they categorised as critical. These versions will be offered soon via the built-in update mechanism and will also show up on the download sites.
One of the holes is based on the behaviour that several URLs separated by the pipe symbol can be can be passed to Firefox when it starts up and opened under different tabs.
This can be exploited to circumvent security features that prevent access to special URIs, such as chrome:. That means, for instance, that scripts could end up having complete access to the system. The workaround that the developers offered seemed almost tongue-in-cheek. Since the attack will only succeed when Firefox is starting up, their recommendation is, "Using Firefox ... prevents attack"
- Firefox 18.104.22.168 release notes
- Security advisories for Firefox 3.0
- Remote code execution by overflowing CSS reference counter, Mozilla security announcement
- Command-line URLs launch multiple tabs when Firefox not running, Mozilla security announcement