Firefox and Safari updates close security holes
Version 220.127.116.11 of the Firefox web browser has been released by the Mozilla organisation. The update closes a security hole that developers opened up when patching a previously identified bug. Apple has also released an update for Safari that fixes four security vulnerabilities in the browser for Windows and Mac OS X. Attackers were able to use crafted websites to install trojans that could spoof the address bar or execute cross-site scripting attacks.
Two of the vulnerabilities in Safari only affect the Windows version, the other two apparently affect both Mac OS X and Windows. Under Windows, file downloads with maliciously crafted names could crash the computer or allow injected program code to be executed. In addition, web sites could change the content of the address bar without loading the site indicated – the Apple developers had already remedied the flaw in Safari Beta 3.0.2, but it was apparently reinserted in 3.1.
The flaw in Firefox also affects the Thunderbird email client and the Seamonkey browser suite. No updated version has yet been released for either application. Firefox users are advised to install the update as soon as possible. The update is currently being distributed via the integrated update mechanism. Safari users are also advised to install the current version 3.1.1 as soon as possible; it is also being automatically distributed via Software Update.
- Mozilla Release notes for Firefox 18.104.22.168
- About the security content of Safari 3.1.1, overview of the flaws remedied in Safari 3.1.1
- Apple Safari WebKit PCRE Handling Integer Overflow Vulnerability, security advisory by the Zero Day Initiative