Patch/Configuration Management, Vulnerability Management

Mozilla urges upgrades for product flaws

Mozilla is reporting three vulnerabilities affecting its products - the most severe being a JavaScript flaw that could allow for the remote execution of code - US-CERT (the U.S. Computer Emergency Readiness Team) said today in an alert.

The bugs are corrected in Firefox 1.5.0.8, Thunderbird 1.5.0.8 and SeaMonkey 1.0.6, but browser users are encouraged to upgrade to Firefox 2.0 because support for 1.5 ends in April.

The riskiest vulnerability - affecting Mozilla's web browser Firefox, email client Thunderbird and internet suite SeaMonkey - can be exploited by a malicious user modifying a Script object, which could allow for the remote execution of arbitrary JavaScript code, according to a Mozilla advisory issued Tuesday.

The second flaw could allow for the forging of RSA digital signatures, according to Mozilla.

"Forging an RSA signature may allow an attacker to craft a TLS/SSL or email certificate that will not be detected as invalid," the US-CERT alert said. "This may allow that attacker to impersonate a website or email system that relies on certificates for authentication."

The third vulnerability is related to memory corruption and could lead to a system crash.

News of the bugs comes two weeks after Mozilla released its latest browser version, Firefox 2.0.

Like Microsoft's Internet Explorer 7, also released last month, Firefox 2.0's most significant security feature is new anti-phishing technology, Window Snyder, Mozilla's recently hired security chief, has told SCMagazine.com. 

A less visible security feature rests in the browser's use of "sandboxing," which prevents untrusted - possibly malicious - code from interacting outside the context of a specific webpage, Snyder said.

Click here to email Dan Kaplan

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.