On GameSpot: The All-Time Greatest Game Hero revealed
BNET Business Network:
BNET
TechRepublic
ZDNet

July 2nd, 2008

Firefox 2 dirty dozen: Critical vulnerabilities patched

Posted by Ryan Naraine @ 11:36 am

Categories: Uncategorized

Tags: Mozilla Firefox 3.0, Mozilla Firefox, Critical Vulnerability, XSS, Mozilla Firefox 2.0, MFSA, Web Browsers, Internet, Ryan Naraine

Critical vulnerabilities patched Mozilla has shipped a high-priority update for Firefox 2, warning that there are at least five serious vulnerabilities that could lead to code execution attacks.

With Firefox 2.0.0.15, Mozilla fixes at least 12 documented vulnerabilities — five rated critical –  that could put users at risk of arbitrary file upload, arbitrary code execution, URL spoofing and cross-site scripting attacks.

The update is available for Windows, Mac OS X and Linux users.

Mozilla is recommending that all users upgrade to the shiny new Firefox 3 but, because of compatibility issues with add-ons and extensions, some users are hesitant to upgrade immediately.

[ SEE: Code execution vulnerability found in Firefox 3.0

The Firefox 2 patch is being distributed via the browser’s automatic updates mechanism but there’s a small worry that some users who install but never use the browser will still be at risk.

The newest Firefox 3 is known to be vulnerable to a highly critical vulnerability that is not yet patched.

Details on the Firefox 2 patches:

  • MFSA 2008-33 Crash and remote code execution in block reflow
  • MFSA 2008-32 Remote site run as local file via Windows URL shortcut
  • MFSA 2008-31 Peer-trusted certs can use alt names to spoof
  • MFSA 2008-30 File location URL in directory listings not escaped properly
  • MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
  • MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
  • MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
  • MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
  • MFSA 2008-24 Chrome script loading from fastload file
  • MFSA 2008-23 Signed JAR tampering
  • MFSA 2008-22 XSS through JavaScript same-origin violation
  • MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

* Image source: laihiu’s Flickr photostream (Creative Commons 2.0).

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 4 Talkback(s)
RE: Firefox 2 dirty dozen: Critical vulnerabilities patched
I have been happy using Firefox ever since it began - and have just upgraded to FF 3. However there is a little glitch that I have not been able to resolve. In e-mails and on web site some punctuation... (Read the rest)
Posted by: HELLASBOOK Posted on: 07/07/08 You are currently: a Guest | | Terms of Use
Wasn't Able to Upgrade to 3.0  PMC-CON | 07/03/08
Have you tried the Standard Diagnostic procedures  mhenriday | 07/03/08
Re: Standard Diagnostic  Greenknight_z | 07/04/08
RE: Firefox 2 dirty dozen: Critical vulnerabilities patched  HELLASBOOK | 07/07/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here