CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 17th, 2008

Numerous Securty Vulnerabilities Patched In Firefox 3.0.5

The open-source group Mozilla has released the final security patch for the Firefox 2 branch and a new version of Firefox 3 to plug several security flaws that could lead to remote code execution attacks, browser crashes and information disclosure issues.

Mozilla released eight different bulletins with details on the security flaws. Three of the bulletins carry a “critical“ label, meaning they can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing. One of the bulletins carry a “high severity” rating, meaning it can be used by hackers to gather sensitive data from sites in other windows or inject data or code into those sites, requiring normal browsing actions.

Patched in Firefox 3.0.5:

MFSA 2008-69 XSS vulnerabilities in SessionStore

MFSA 2008-68 XSS and JavaScript privilege escalation

MFSA 2008-67 Escaped null characters ignored by CSS parser

MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters

MFSA 2008-65 Cross-domain data theft via script redirect error message

MFSA 2008-64 XMLHttpRequest 302 response disclosure

MFSA 2008-63 User tracking via XUL persist attribute

MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

Some of the bugs only affect Firefox 3, others Firefox 2. Mozilla is not planning any more updates for Firefox 2. Google-powered anti-phishing protection will also no longer be available for Firefox 2 users.

All Firefox versions users are advised to apply the update that is released via the browser’s automatic patching mechanism.

Update (December 19): A “clerical error” by Mozilla Corp. omitted one of the security patches that was supposed to be included in the Windows version of latest Firefox 2.0.0.19 release. Mozilla will release Firefox 2.0.0.20, which will include the omitted patch, as early as Friday and no later than Monday. As per its policy, Mozilla was to officially retire the older browser Tuesday, but it must now delay that until Version 2.0.0.20 is available.

Share this item with others:

More on CyberInsecure:
  • Five Vulnerabilities Patched In Firefox 3.0.2 and 2.0.0.17, Two Of Them Are Critical
  • Firefox 2.0.0.13 Is Out
  • Mozilla Fixes 12 Security Vulnerabilities In Firefox 2.0.0.15
  • JavaScript Bug Patched By Mozilla In Firefox 2.0.0.14
  • Password Bug Fixed Sooner Than Expected in Firefox 3.0.3

    • Posted in Software, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Wednesday, December 17th, 2008 at 2:51 am and is filed under Software, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Numerous Securty Vulnerabilities Patched In Firefox 3.0.5

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »