February 7th, 2008
Mozilla delivers patches for Firefox; Plugs flat file vulnerability
Mozilla on Friday delivered its Firefox 2.0.0.12 update including patches that fix a Web forgery flaw, browsing history and forward navigation stealing and the directory traversal via chrome, which has been the most visible vulnerability of late.
According to the Firefox security advisory, Mozilla filed the following fixes in its flagship browser:
- MFSA 2008-11 Web forgery overwrite with div overlay
- MFSA 2008-10 URL token stealing via stylesheet redirect
- MFSA 2008-09 Mishandling of locally-saved plain text files
- MFSA 2008-08 File action dialog tampering
- MFSA 2008-06 Web browsing history and forward navigation stealing
- MFSA 2008-05 Directory traversal via chrome: URI
- MFSA 2008-04 Stored password corruption
- MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
- MFSA 2008-02 Multiple file input focus stealing vulnerabilities
- MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12).
The most notable of the bunch is MFSA 2008-05. This fix covered that vulnerability that allowed an attacker to run off with stored cookies and other data contained in flat files. The vulnerability was discovered by researcher Gerry Eisenhaur. On Jan. 29, Mozilla security chief Window Snyder upgraded the vulnerability and set plans for Firefox 2.0.0.12. On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by Eisenhaur on Jan. 19.
Regarding the flat file flaw Mozilla said:
URI scheme improperly allowed directory traversal that could be used to load JavaScript, images, and stylesheets from local files in known locations. This traversal was possible only when the browser had installed add-ons which used “flat” packaging rather than the more popular .jar packaging, and the attacker would need to target that specific add-on.
Mozilla researcher moz_bug_r_a4 reported that this vulnerability could be used to steal the contents of the browser’s sessionstore.js file, which contains session cookie data and information about currently open web pages.
Another critical flaw (MFSA-2008-06) was one that allowed the stealing of Web browsing and forward navigation stealing. Mozilla noted:
Mozilla contributor David Bloom reported a vulnerability in the way images are treated by the browser when a user leaves a page which utilizes designMode frames. The reported issue can be used to steal a user’s navigation history, forward navigation information, and crash the user’s browser. The crash showed evidence of memory corruption and might be exploitable to run arbitrary code.
And a third critical vulnerability (MFSA-2008-03) covered a “privilege escalation, XSS Remote Code Execution.”
Mozilla said:
Mozilla contributors moz_bug_r_a4 and Boris Zbarsky submitted a series of vulnerabilities which allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges. An additional vulnerability reported by moz_bug_r_a4 demonstrated that the XMLDocument.load() function can be used to inject script into another site, violating the browser’s same-origin policy.
And finally Firefox 2.0.0.12 addresses crashes due to memory corruption (MFSA-2008-01). Mozilla noted:
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox 2.0.0.12 and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
The remaining patches covered vulnerabilities that were deemed less critical. These vulnerabilities also affected Thunderbird and SeaMonkey.
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.
| 02/08/08
