Mozilla has released a security update for Firefox that moved the browser on to version 2.0.16. The same security patches, both rated critical, are also addressed in Firefox 3.0.1.
Mozilla pushes out security alerts Firefox. (IMG:Mozilla)
The two critical patches deal with remote code vulnerabilities and command line URLs spawning tabs when Firefox is not running.
MFSA 2008-34 is the first critical patch. It was reported via TippingPoint's Zero Day Initiative, and centers on issues with Mozilla's internal CSSValue array data structure. An attacker can create a large number of calls to common CSS objects, triggering a crash of the browser when it attempts to free the CSS object while still in use. The resulting crash could be used to execute code on the system.
The second critical issue comes from Billy Rios, who reported that: “if Firefox is not already running, passing it a command-line URI with pipe ("|") symbols will open multiple tabs. This URI splitting could be used to launch chrome:i URIs from the command-line, a partial bypass of the fix for MFSA 2005-53 which was intended to block external applications from loading such URIsi,” Mozilla explains. The vulnerability in MFSA 2005-53 remains patched however.
“For example, web browsers normally handle file: URIs themselves, or block them from web content altogether, but this flaw enabled attackers to pass them from another browser into Firefox. In Firefox 2 scripts running from file: URIs can read data from a user's entire disk, a risk if the attacker could first place a malicious file in a guessable location on the local disk. Rios demonstrated that the so-called "Safari Carpet-bombing vulnerability" could be used for this, as well as other techniques that do not rely on that now-fixed Safari vulnerability,” the advisory added.
Internal testing on Firefox 3.0 also showed that Rios’ research can be combined with various vulnerabilities to trigger code execution. “In Firefox 3 scripts running in local files have limited access to other files, almost entirely mitigating the file: attack. However, combined with a vulnerability which allows an attacker to inject script into a chrome document the above issue could be used to run arbitrary code on a victim's computer.”
Mozilla advises everyone patch as soon as available. Automatic updates will start to appear on the 2.x browsers in the next 24 hours. Manual updates to the 2.x branch are live now. Firefox 3.0.1 was released today. (Notes)
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)