April 22nd, 2009
Mozilla patches a dozen Firefox vulnerabilities
Mozilla has shipped a refresh of its flagship Firefox browser to fix a dozen documented vulnerabilities that expose users to URL spoofing, cross-site scripting, code injection and code execution attacks.
The most serious fix (MFSA 2009-14) covers four browser engine and JavaScript engine crashes where Mozilla’s developers found evidence of memory corruption.
Whenever browser crashes show evidence of memory corruption, Mozilla presumes that with enough effort at least some of these crashes could be exploited to run arbitrary code.
Some other fixes of note:
- MFSA 2009-17: Security researcher Gregory Fleischer reported that when an Adobe Flash file is loaded via the
view-source:scheme, the Flash plugin misinterprets the origin of the content as localhost, leading to two specific vulnerabilities:
-
- The Flash file can bypass restrictions imposed by the crossdomain.xml mechanism and initiate HTTP requests to arbitrary third-party sites. This vulnerability could be used by an attacker to perform CSRF attacks against these sites.
- The Flash file, being treated as a local resource, can read and write Local Shared Objects on a user’s machine. This vulnerability could be used by an attacker to place cookie-like objects on a user’s computer and track them across multiple sites.
Additionally, Fleischer reported that the jar: protocol could be used to bypass restrictions normally preventing content loaded via view-source: from being rendered.
- MFSA 2009-19: Mozilla security researcher moz_bug_r_a4 reported that it is possible to create a document whose URI does not match the document’s principal using
XMLHttpRequest. This type of mismatch leads to incorrect results in principal-based security checks. An attacker could use this vulnerability to execute arbitrary JavaScript within the context of another site.moz_bug_r_a4 separately reported thatXPCNativeWrapper.toString’s__proto__comes from the wrong scope which results in calls to that function being executed in the wrong context in certain circumstances. An attacker could use this vulnerability to run arbitrary code within the context of a different site. Alternatively, if chrome were to callcontent.toString.call(), then attacker-defined functions could be run with chrome privileges.
Also see:
- MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame
- MFSA 2009-20 Malicious search plugins can inject code into arbitrary sites
- MFSA 2009-18 XSS hazard using third-party stylesheets and XBL bindings
- MFSA 2009-16 jar: scheme ignores the content-disposition: header on the inner URI
- MFSA 2009-15 URL spoofing with box drawing character
- MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
