Daily cyber threats and internet security news: network security, online safety and latest security alerts
November 12th, 2008

Firefox 3.0.4, Firefox And Seamonkey 1.1.13 Released, 11 Security Vulnerabilities Patched, 4 Of Them Critical

Mozilla has released a new version of its flagship Firefox browser to fix a total of 11 vulnerabilities that expose users to code execution, information stealing or denial-of-service attacks. Four of the 11 flaws covered with the new Firefox 3.0.4 are rated “critical” because of the risk of code execution attacks via specially rigged Web pages.

The four critical vulnerabilities are:

MFSA 2008-55 Crash and remote code execution in nsFrameManager. A vulnerability in part of Mozilla’s DOM constructing code can be exploited by modifying certain properties of a file input element before it has finished initializing. When the blur method of the modified input element is called, uninitialized memory is accessed by the browser, resulting in a crash. This crash may be used by an attacker to run arbitrary code on a victim’s computer.

MFSA 2008-54 Buffer overflow in http-index-format parser. This is a flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim’s computer.

MFSA 2008-53 XSS and JavaScript privilege escalation via session restore. The browser’s session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state. This vulnerability could also be used by an attacker to run arbitrary JavaScript with chrome privileges.

MFSA 2008-52 Crashes with evidence of memory corruption. Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The Firefox update also fixes the following issues:

MFSA 2008-58 Parsing error in E4X default namespace.

MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals.

MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation.

MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome.

MFSA 2008-47 Information stealing via local shortcut files.

Mozilla recommends that users who still run FF2 upgrade to FF3 as soon as possible.

Share this article with others:

More on CyberInsecure:
  • Mozilla Fixes 12 Security Vulnerabilities In Firefox
  • Two Critical Vulnerabilities Fixed By Mozilla In Firefox 3.0.8
  • Serious Security Flaw In Firefox 3.0.7, Exploit Already Available
  • Password Bug Fixed Sooner Than Expected in Firefox 3.0.3
  • Login And Password Stealing Trojan Masquerades As Firefox Plug-in

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Firefox 3.0.4, Firefox And Seamonkey 1.1.13 Released, 11 Security Vulnerabilities Patched, 4 Of Them Critical

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.