Firefox 3.5.6 released offering seven fixes
by Steve Ragan - Dec 18 2009, 16:00Mozilla pushed Firefox 3.5.6 to the Web this week, and along with various other fixes for glitches and bugs, addressed seven security issues running from Critical to Low on the grading scale.
One of the security fixes, listed as Critical, addressed several bugs in one update that were located in the browser engine. These bugs, Mozilla said, caused crashes with evidence of memory corruption. It is because of that, Mozilla assumed that with enough work, someone could exploit these bugs to run code, and patched the issues. Problems discovered in liboggplay, which posed potential memory issues, led to the second Critical fix, with a note that the audio and video abilities added in version 3.5 were not impacted.
Dan Kaminsky and David Keeler reported the same issue independently of one another and discovered problems in the libtheora video library.
“A video's dimensions were being multiplied together and used in particular memory allocations. When the video dimensions were sufficiently large, the multiplication could overflow a 32-bit integer resulting in too small a memory buffer being allocated for the video. An attacker could use a specially crafted video to write data past the bounds of this buffer, causing a crash and potentially running arbitrary code on a victim's computer,” Mozilla said in their advisory on the security patch.
Mozilla's NTLM implementation was vulnerable to reflection attacks, the foundation said in an advisory, in which NTLM credentials from one application could be forwarded to another via the browser.
“If an attacker could get a user to visit a web page he controlled he could force NTLM authenticated requests to be forwarded to another application on behalf of the user.”
Rated Moderate, the 3.5.6 release addresses location bar spoofing issues discovered by Jonathan Morgan and Jordi Chancel. In Morgan’s attack, if it were exploited, a user would believe they are viewing a SSL encrypted page, but in all reality have no such actual security. In addition, Chancel’s attack could be used to place a legitimate looking, but invalid URL in the location bar and inject HTML and JavaScript into the body of the page.
Another Moderate fix for 3.5.6 comes with a warning that it could turn into a Critical issue depending on how it is exploited. Researcher David James discovered a privilege escalation vulnerability in the chrome window.opener property.
“Using this reference, content in the new window can access functions inside the chrome window, such as evil, and use these functions to run arbitrary JavaScript code with chrome privileges. In a stock Mozilla browser a remote attacker can not cause these application dialogs to appear nor to automatically load the attack code that takes advantage of this flaw in window.opener. There may be add-ons which open potentially hostile web-content in this way, and combined with such an add-on the severity of this flaw could be upgraded to Critical,” Mozilla warned.
Lastly, the final patch addressed issues with exception messages from Mozilla's GeckoActiveXObject. According to Mozilla, “A malicious site could use this vulnerability to enumerate a list of COM objects installed on a user's system and create a profile to track the user across browsing sessions.”
If you have allowed automatic updates, you may only need a browser restart to apply these fixes. If not, check in the Help menu and look for the update link to get them. Firefox 3.5.6 is available for download now.
Comment on this Story