In association with heise online

20 December 2006, 12:15

A number of holes remedied in Firefox and Thunderbird

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Mozilla Foundation has released new versions of its browser and email client for Windows, Linux, and Mac OS X that remedy several critical security holes. Attackers could use these to get control of local PCs. All they need to do is get users to visit a manipulated web site or open a malicious email. The updates are already being automatically distributed.

In Firefox, a total of eight holes have been closed, five of which developers considered critical. One of them was a memory access error in the processing of SVG (scalable vector graphics) comment objects that allows code to be injected and executed. An error in the LiveConnect code that enables communication between JavaScript and Java applets is not as easy to exploit according to a security bulletin from the Mozilla Foundation. Generally, the browser only crashes, but the Foundation cannot rule out the possibility that code could be executed with some effort. As Thunderbird does not normally download any applets, the problem cannot occur there even though the software also contains defective code.

In addition, attackers could use the JavaScript method "watch()" that monitors values in scripts to infect a computer with malicious code. The Mozilla Foundation did not provide any details; an embargo has been put on all Bugzilla entries concerning the errors during the "active update period". But some people who have discovered the holes have already published their own error reports.

A heap overflow also occurs when prepared images are converted into Windows bitmaps. For this trick to work, the properties of a site's CSS cursor reportedly have to be manipulated. Only the Windows version of Firefox is affected.

The browser's stability has also been improved to reduce the frequency of crashes. This problem was also considered critical because some of the crashes provided indications of memory leaks that attackers might be able to use to write code into the memory and execute it.

Finally, two cross-site scripting (XSS) weak points and a problem with RSS feeds were remedied. One of the XSS holes is only found in Firefox, while the others were also remedied in Firefox and Thunderbird The errors have also been corrected in SeaMonkey 1.0.7. The developers explicitly state that Firefox also supports Windows Vista, though there are still some problems; for instance, some extra steps have to be taken into account for automatic updates, and Firefox cannot yet be made the default browser under Vista. While the developers also mention the error concerning emails deleted without prompting in the release notes for Thunderbird, the entry in Bugzilla says that the error has been remedied in version

Firefox, and Thunderbird are available in a number of languages as downloads from Mozilla's download site, but the new versions are also being distributed via the application's software update. Firefox 1.0 and Thunderbird 1.0x are no longer supported; the errors are thus not remedied there. Users are advised to install the latest releases.

Also see:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit