In association with heise online

31 May 2007, 12:12

Developers fix security vulnerabilities in Mozilla software

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers at Mozilla have fixed numerous security vulnerabilities in the open-source programs Firefox, Thunderbird and Seamonkey. The vulnerabilities allowed attackers to inject malicious code, execute cross-site scripting attacks or overlay parts of the application window with foreign content.

Among other things, the developers have worked on the stability of the programs. The faults that they have thereby eliminated in the layout and JavaScript engines, which caused crashing, could have been used to inject malicious code in some cases. The JavaScript function addEventListener might be exploited by attackers to bypass the browser-generated check on the same source domain and allow script code from outside domains to be injected in the current page.

The login data for mail servers in Thunderbird, which was protected by the encrypted APOP authentication, could be more easily cracked since the program did not follow the protocol strictly enough. Elements in the description language for the optics and the layout of the Mozilla programs XUL could be placed by attackers in such a manner, that these areas would lie outside of the actual content display, for example, over the address bar in the browser.

In addition, the Mozilla developers have upgraded a missing length check for path data for cookies. This allowed attackers to occupy large quantities of memory and possibly trigger a denial-of-service attack. As a result of a missing check on the internally used separators between the values for the cookie path and the field names, it was feasible that seized, non-secure Web servers could mistakenly write secure cookies.

The faults affect the program versions prior to the currently released versions Firefox and, Thunderbird and as well as Seamonkey 1.1.2 and 1.0.9. Since attackers can possibly smuggle in malicious code in the previous versions, Mozilla users should update as soon as possible. An automatic update is already available for Firefox, and the automatic updates for Thunderbird and Seamonkey should be available in the near future.

Firefox is supposed to be the last supported version in the 1.5 series. The developers want to provide an automatic update on version 2 of the browser "in a few weeks".

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit