Patch/Configuration Management, Vulnerability Management

Mozilla discloses six security flaws

Mozilla released six security advisories on Wednesday for flaws in its Firefox, SeaMonkey and Thunderbird programs.

The most serious of the half-dozen vulnerabilities is a "critical" flaw in Firefox, Thunderbird and SeaMonkey that can allow crashes if exploited. Mozilla’s investigators have presumed the flaw to allow arbitrary code, according to an advisory.

The organization also advised users to disable JavaScript in Thunderbird or the mail portions of SeaMonkey.

Mozilla credited its developers and security community with reporting the flaw.

All disclosed flaws were fixed in Firefox versions and, Thunderbird and and SeaMonkey 1.0.9 and 1.1.2.

Mozilla also warned of a "high" impact cross-site scripting bug in Firefox that could be used to inject malicious code onto a victimized site. Users were advised to disable JavaScript until a fixed version can be installed.

The Mountain View, Calif.-based organization also fixed a "moderate" security vulnerability in Thunderbird and SeaMonkey APOP Authentication, as well as three "low" impact vulnerabilities in XUL Popup Spoofing, cookie handling and form autocomplete.

Window Snyder, Mozilla chief security something-or-other, told that the organization’s first priority was to push out a patch for the critical crash-allowing flaw in Firefox, SeaMonkey and Thunderbird, rather than determining whether it can also allow arbitrary code.

"That’s the result of our testing…We fix it. We don’t spend time analyzing whether or not it’s exploitable," she said, adding that a release leads to a "more robust and stable" user experience.

Amol Sarwate, director of Qualys’ vulnerability research lab, told today that Mozilla has done well in ranking the flaws’ risk.

"I think that Mozilla did a pretty good job in categorizing the vulnerabilities," he said. "The first (a memory corruption flaw) is definitely critical because there are a large number of malicious websites that can use a vulnerability like this to get (malicious code) on to your machine."

FrSIRT ranked the six flaws as "critical" in an advisory released Wednesday.

Secunia cited four of the vulnerabilities in an advisory released today, raking them "highly critical."

The fixes mark the last release for Firefox version 1.5, for which support ended this week, according to the Mozilla Developer Center site. Firefox 1.5.12 contains a component that can automatically upgrade users to version 2.0 of the alternative browser.

Earlier this week, a University of Indiana graduate student said on his blog that a flaw exists in browser extensions that could be exploited by malicious users. The add-on bug was found in the "upgrade mechanism" used in Firefox extensions.

Many of the third-parties who provide the extensions, such as Yahoo, Google and Facebook, have been notified of the bug but have yet to provide a patch.

Mozilla patched three flaws in two March releases.

Get more IT security news. Click here for SC Magazine Blogs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.