On BNET: Turn your iPhone into an air mouse
BNET Business Network:
BNET
TechRepublic
ZDNet

December 16th, 2008

Firefox joins security patch day treadmill

Posted by Ryan Naraine @ 6:58 pm

Categories: Arbitrary Code Execution, Botnets, Browsers, Data theft, Denial of Service (DoS), Firefox, Java, Malware, Microsoft, Mozilla, Patch Watch, Spam and Phishing, Viruses and Worms, Vulnerability research

Tags: Mozilla Firefox, Mozilla Firefox 2.0, Web Browser, Bulletin, Web Browsers, Security, Internet, Ryan Naraine

Firefox joins security patch day treadmillMozilla is joining Microsoft and Opera on the browser patching treadmill.

The open-source group has rolled out the final security fix for the Firefox 2 branch and a new version of Firefox 3 to plug about a dozen security holes that could lead to remote code execution attacks, browser crashes and information disclosure issues.

[ SEE: ‘End of life’ beckons for Firefox 2 ]

In all, Mozilla released eight different bulletins with details on the security flaws.   Three of the bulletins carry a “critical” label, meaning they can be exploited “to run attacker code and install software, requiring no user interaction beyond normal browsing.”

One of the bulletins carry a “high severity” rating, meaning it can be used by hackers “to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.”

[ SEE: ‘Extremely severe’ vulnerabilities in Opera browser ]

The details:

  • MFSA 2008-69 XSS vulnerabilities in SessionStore
  • MFSA 2008-68 XSS and JavaScript privilege escalation
  • MFSA 2008-67 Escaped null characters ignored by CSS parser
  • MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
  • MFSA 2008-65 Cross-domain data theft via script redirect error message
  • MFSA 2008-64 XMLHttpRequest 302 response disclosure
  • MFSA 2008-63 User tracking via XUL persist attribute
  • MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

Some of the bugs only affect Firefox 3 so it is important for all Firefox users to apply the update that’s released via the browser’s automatic patching mechanism.

As I previously reported, Mozilla is not planning any more security and stability updates for Firefox 2.   If you are still on the old version, also note that the Google-powered anti-phishing protection will no longer be available for Firefox 2 users.

ALSO SEE: As attacks escalate, MS readies emergency IE patch

* Image source: _sarchi’s Flicker photostream (Creative Commons 2.0)

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 22 Talkback(s)
Edison?
I'm somewhat surprised there aren't more ******** IE fans aren't working to find FF/Chrome/Opera/... browsers in order to show as many weaknesses as possible.

It reminds me of the Edison/Tesla ... (Read the rest)
Posted by: Mihi Nomen Est Posted on: 12/27/08 You are currently: a Guest | | Terms of Use
this is the evidence that Firefox is NOT safer than IE  qmlscycrajg | 12/17/08
MS fans this way  martin23 | 12/17/08
It certainly does.  ye | 12/17/08
No  eMJayy | 12/17/08
Yes.  ye | 12/17/08
Nice try  eMJayy | 12/17/08
Well if you want to consider smaller market share...  ye | 12/17/08
My students are using Firefox 3  DonRupertBitByte | 12/17/08
So turn them off  mswift@... | 12/17/08
Protected Mode will protect you from ActiveX vulnerabilities.  ye | 12/17/08
Re: "you can block active x, flash and java with settings in IE"  bswiss | 12/17/08
But there's an significant difference...  bswiss | 12/17/08
Who Cares What You Think?  itanalyst2@... | 12/17/08
I really don't care. I use more than Windows.  ye | 12/17/08
How about this evidence?  MisterMiester | 12/18/08
Edison?  Mihi Nomen Est | 12/27/08
Unless You Can Remove IE (Totally) From Windows ...  PMC-CON | 12/17/08
RE: Firefox joins security patch day treadmill  mummainsaudi | 12/17/08
Windoze == 1 wrong click and rootkit infected...  xunil skcor | 12/18/08
Firefox on Windows only problems?  joe.smetona@... | 12/19/08
RE: Firefox joins security patch day treadmill  Greenknight_z | 12/23/08
RE: Firefox joins security patch day treadmill  bbonis@... | 12/23/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More