On CHOW: Make your next sandwich perfect
BNET Business Network:
BNET
TechRepublic
ZDNet

February 23rd, 2007

Mozilla zaps Firefox security bugs

Posted by Ryan Naraine @ 11:57 am

Categories: Browsers, Exploit code, Firefox, Google, Mozilla, Open source, Patch Watch, Responsible disclosure, Spam and Phishing, Vulnerability research

Tags: Mozilla Firefox, Mozilla Corp., Security Bug, Ryan Naraine

Mozilla has rolled out a major security update to fix a total of seven vulnerabilities in its flagship Firefox browser.

The batch of patches apply to users of Firefox 1.5.0.10 and Firefox 2.0.0.2 (Windows, Mac, and Linux) and are available as a free download at getfirefox.com.

“Due to the security fixes, we strongly recommend that all Firefox users upgrade to these latest releases,” said Mike Schroepfer, vice president of engineering at Mozilla.

The patches will be released over the next 24 to 48 hours via the automatic update mechanism in Firefox 1.5.0.x an d Firefox 2.0.0.x. Starting later today, users can the upgrade from the “Check for Updates” feature in the Help menu.

Note: Support for Firefox 1.5.0.x ends on April 24, 2007. After that, Mozilla will no longer ship security and stability updates for older browser versions]

Today’s update covers these seven security bugs:

  • MFSA 2007-07: Embedded nulls in location.hostname confuse same-domain checks
  • MFSA 2007-06: Mozilla Network Security Services (NSS) SSLv2 buffer overflow
  • MFSA 2007-05: XSS and local file access by opening blocked popups
  • MFSA 2007-04: Spoofing using custom cursor and CSS3 hotspot
  • MFSA 2007-03: Information disclosure through cache collisions
  • MFSA 2007-02: Improvements to help protect against Cross-Site Scripting attacks
  • MFSA 2007-01: Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

    • Also see: Is the the month of Firefox bugs?

    Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


    Email Ryan Naraine

    For daily updates on Ryan's activities, follow him on Twitter.

    Subscribe to Zero Day via Email alerts or RSS.

    • Talkback
    • Most Recent of 3 Talkback(s)
    I agree, it didn't take long for them to drop 1.5 support
    April 24th?! Could you imagine the outcry if MS stopped supporting IE6 that soon after IE7 was released?... (Read the rest)
    Posted by: PB_z Posted on: 02/26/07 You are currently: a Guest | | Terms of Use
    Well that didn't take long!  Linux User 147560 | 02/23/07
    Indeed. I turned on the PC this morning and it auto installed.  bportlock | 02/25/07
    I agree, it didn't take long for them to drop 1.5 support  PB_z | 02/26/07

    What do you think?

    SponsoredWhite Papers, Webcasts, and Downloads

    advertisement

    Recent Entries

    advertisement

    Archives

    Favorite Links

    ZDNet Blogs

    White Papers, Webcasts, and Downloads