Mozilla patched eight flaws in its products on Thursday, including “critical” issues in Firefox, Thunderbird and SeaMonkey.
Firefox version 2.0.0.8 includes a cumulative fix for bugs leading to crashes and a fix for the way Script object modifies XPCNativeWrappers.
Mozilla disclosed on Thursday that some of the crash-causing issues could eventually be exploited to run arbitrary code on a victimized PC.
Mozilla researcher moz_bug_r_a4 was credited with discovering the other critical flaw, which can be exploited when using the Script object to modify XPCNativeWrappers so that subsequent access by the browser chrome can cause attacker-supplied JavaScript to run.
The distribution also patched a flaw in Firefox for Windows XP with Internet Explorer 7 installed that occurs with a malformed URI. Billy (BK) Rios and Nate Mcfeters were credited with disclosing the flaw.
The fix detects when Windows would mishandle such URIs so that the wrong program does not get launched, according to Mozilla's advisory.
The Mountain View, Calif.-based company also patched a “moderate” flaw in Firefox and SeaMonkey that could allow file stealing through a URI scheme.
The vulnerability, reported by Georgi Guninski, can be exploited if an attacker stores a malicious page on a server and lures a victim into loading it.
Also fixed were moderate flaws in Digest Authentication request splitting and file upload control, as well as low-danger flaws in XUL pages and onUnload Tailgating.
The group of flaws earned a “critical” ranking from FrSIRT in an advisory released today, and a “highly critical” ranking from Secunia.
Rene Gonzalez, product manager at Lumension, an endpoint security vendor, said that as Firefox becomes more popular, it will also receive increased attention from researchers.
“The trend seems to be with the browser. Every month they have a new update for the browser, and as it becomes more popular, more vulnerabilities become prominent on the desktop,” Gonzalez told SCMagazineUS.com today.
Firefox version 2.0.0.8 includes a cumulative fix for bugs leading to crashes and a fix for the way Script object modifies XPCNativeWrappers.
Mozilla disclosed on Thursday that some of the crash-causing issues could eventually be exploited to run arbitrary code on a victimized PC.
Mozilla researcher moz_bug_r_a4 was credited with discovering the other critical flaw, which can be exploited when using the Script object to modify XPCNativeWrappers so that subsequent access by the browser chrome can cause attacker-supplied JavaScript to run.
The distribution also patched a flaw in Firefox for Windows XP with Internet Explorer 7 installed that occurs with a malformed URI. Billy (BK) Rios and Nate Mcfeters were credited with disclosing the flaw.
The fix detects when Windows would mishandle such URIs so that the wrong program does not get launched, according to Mozilla's advisory.
The Mountain View, Calif.-based company also patched a “moderate” flaw in Firefox and SeaMonkey that could allow file stealing through a URI scheme.
The vulnerability, reported by Georgi Guninski, can be exploited if an attacker stores a malicious page on a server and lures a victim into loading it.
Also fixed were moderate flaws in Digest Authentication request splitting and file upload control, as well as low-danger flaws in XUL pages and onUnload Tailgating.
The group of flaws earned a “critical” ranking from FrSIRT in an advisory released today, and a “highly critical” ranking from Secunia.
Rene Gonzalez, product manager at Lumension, an endpoint security vendor, said that as Firefox becomes more popular, it will also receive increased attention from researchers.
“The trend seems to be with the browser. Every month they have a new update for the browser, and as it becomes more popular, more vulnerabilities become prominent on the desktop,” Gonzalez told SCMagazineUS.com today.
