Mozilla released version 3.0.7 of Firefox on Wednesday, addressing three critical flaws and over thirty bug fixes. The Mozilla release comes just after Opera released their own update, and a few weeks after Apple released a new version of Safari. If you haven’t done so already, upgrade your browser.
Moxilla releases Firefox 3.0.7 addressing five security flaws. Image: psd/Flickr.
Three critical fixes in Firefox 3.0.7 deal with crashes, garbage collection, and PNG libraries. Mozilla engineers noticed various stability issues, some of which triggered crashes in the browser. The engineers, taking the safe path in assumption, decided that since some of the crashes triggered memory corruption, they should be fixed quickly.
“Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla said in a security advisory.
As a side note, this same critical fix is also issued for Thunderbird, as the mail client uses the same engine as the browser.
Thanks to an unknown researcher, a flaw in the garbage collection process was also corrected.
The Mozilla Security Advisory explains, “The vulnerability was caused by improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed. An attacker could use this crash to run arbitrary code on the victim's computer.”
Like the random crashing fix, this too was included in the update to Thunderbird.
Lastly, rounding out the critical fixes, Glenn Randers-Pehrson reported issues in the libpng, which Glenn maintains could be exploited by an attacker to trigger crashes that lead to code execution.
A fourth security fix, rated high by Mozilla, came from Georgi Guninski and addresses XML data theft via RDFXMLDataSource and cross-domain redirection. Masahiro Yamada reported a flaw ranked as low on the security list. The flaw centers on invisible control characters. According to the advisory, certain control characters were being decoded when displayed in the address bar, resulting in fewer characters being visible that were present in the actual location. This could be exploited by an attacker to display misleading URLs.
Firefox 3.0.6 users started getting the updates early Thursday morning. For everyone else, the new install files are online in the various repositories and on http://www.mozilla.com/en-US/firefox/.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story