Numerous Securty Vulnerabilities Patched In Firefox 3.0.5
The open-source group Mozilla has released the final security patch for the Firefox 2 branch and a new version of Firefox 3 to plug several security flaws that could lead to remote code execution attacks, browser crashes and information disclosure issues.
Mozilla released eight different bulletins with details on the security flaws. Three of the bulletins carry a “critical“ label, meaning they can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing. One of the bulletins carry a “high severity” rating, meaning it can be used by hackers to gather sensitive data from sites in other windows or inject data or code into those sites, requiring normal browsing actions.
Patched in Firefox 3.0.5:
MFSA 2008-69 XSS vulnerabilities in SessionStore
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-63 User tracking via XUL persist attribute
MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
Some of the bugs only affect Firefox 3, others Firefox 2. Mozilla is not planning any more updates for Firefox 2. Google-powered anti-phishing protection will also no longer be available for Firefox 2 users.
All Firefox versions users are advised to apply the update that is released via the browser’s automatic patching mechanism.
Update (December 19): A “clerical error” by Mozilla Corp. omitted one of the security patches that was supposed to be included in the Windows version of latest Firefox 2.0.0.19 release. Mozilla will release Firefox 2.0.0.20, which will include the omitted patch, as early as Friday and no later than Monday. As per its policy, Mozilla was to officially retire the older browser Tuesday, but it must now delay that until Version 2.0.0.20 is available.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.