Developers fix security vulnerabilities in Mozilla software
The developers at Mozilla have fixed numerous security vulnerabilities in the open-source programs Firefox, Thunderbird and Seamonkey. The vulnerabilities allowed attackers to inject malicious code, execute cross-site scripting attacks or overlay parts of the application window with foreign content.
Among other things, the developers have worked on the stability of the programs. The faults that they have thereby eliminated in the layout and JavaScript engines, which caused crashing, could have been used to inject malicious code in some cases. The JavaScript function addEventListener might be exploited by attackers to bypass the browser-generated check on the same source domain and allow script code from outside domains to be injected in the current page.
The login data for mail servers in Thunderbird, which was protected by the encrypted APOP authentication, could be more easily cracked since the program did not follow the protocol strictly enough. Elements in the description language for the optics and the layout of the Mozilla programs XUL could be placed by attackers in such a manner, that these areas would lie outside of the actual content display, for example, over the address bar in the browser.
In addition, the Mozilla developers have upgraded a missing length check for path data for cookies. This allowed attackers to occupy large quantities of memory and possibly trigger a denial-of-service attack. As a result of a missing check on the internally used separators between the values for the cookie path and the field names, it was feasible that seized, non-secure Web servers could mistakenly write secure cookies.
The faults affect the program versions prior to the currently released versions Firefox 2.0.0.4 and 1.5.0.12, Thunderbird 2.0.0.4 and 1.5.0.12 as well as Seamonkey 1.1.2 and 1.0.9. Since attackers can possibly smuggle in malicious code in the previous versions, Mozilla users should update as soon as possible. An automatic update is already available for Firefox, and the automatic updates for Thunderbird and Seamonkey should be available in the near future.
Firefox 1.5.0.12 is supposed to be the last supported version in the 1.5 series. The developers want to provide an automatic update on version 2 of the browser "in a few weeks".
- Known Vulnerabilities in Mozilla Products, list of the closed security vulnerabilities from Mozilla developers
- Crashes with evidence of memory corruption, error report from Mozilla developers
- XSS using addEventListener, security report from Mozilla developers
- Security Vulnerability in APOP Authentication, error report from Mozilla developers
- Path Abuse in Cookies, error report from Mozilla developers
- XUL Popup Spoofing, security report from Mozilla developers
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
