In association with heise online

13 November 2008, 12:40

Firefox 3.0.4 closes nine security holes

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Mozilla Foundation has released Firefox version 3.0.4 to close nine security holes. The developers rated four of the holes as critical because they allow attackers to execute arbitrary code on the victim's system. One of the critical holes is a classical buffer overflow that can be triggered via specially crafted server responses.

A flaw in the way the browser restores a session after a program crash can cause Firefox to violate the same-origin policy when executing JavaScript code, which could be exploited to execute the code in the context of a different website. Attackers could remotely trigger a crash and subsequent restart to steal a user's access data to other web pages, for example.

Two of the critical holes have so far only been observed to cause crashes, but the developers suspect that the flaw can also be exploited to inject and execute code, as it involves memory corruptions. A flaw in the same-origin check in the nsXMLHttpRequest::NotifyEventListeners function also allows attackers to execute JavaScript in the context of another page. The developers only rated this security risk as high.

Two additional critical holes were closed in Firefox and SeaMonkey 1.1.13. While both vulnerabilities are caused by memory corruptions and mainly lead to program crashes, the developers didn't rule out that they could be exploited to infect systems. Specially crafted Shockwave and other files could corrupt the Flash player plug-in but give the browser continued access to the now essentially unmapped memory area.

Several of the flaws are also contained in the Thunderbird mail client and are to be fixed in version Usually, updated Thunderbird versions are only released a few days after the respective browser version – and this one is no exception.

Users of Firefox 2.x should consider upgrading to version 3.x. The developers have announced that they will cease to support 2.x in mid-December. There will be no more security updates after this time. Although the developers discussed extending the support window – for example because Thunderbird still uses the old version of the Gecko engine – it seems that this idea has been discarded.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit