Patch Management

Update: Firefox flaws fixed in update

September 16, 2006

Increasingly popular web browser Mozilla Firefox has released its latest version, which corrects seven security bugs, including four critical vulnerabilities.

Vulnerability reporting firm Secunia said in an advisory today that the flaws can be exploited to conduct man-in-the-middle and cross-site scripting attacks, in addition to compromising a user's system.

The new version, Firefox 1.5.0.7, released later Thursday, corrects two flaws deemed "moderate" and one rated "low." The four critical fixes correct vulnerabilities related to memory corruption, RSA signature verification or JavaScript, according to Firefox.

Secunia said in an advisory today that the bundle of flaws - which it rated "highly critical" - can be exploited to conduct man-in-the-middle and cross-site scripting attacks, in addition to compromising a user's system.

One flaw is related to an error in the handling of JavaScript, which could lead to arbitrary code execution, according to Secunia. Another can be exploited when users accept an unverifiable SSL certificate when visiting a website, which could allow attackers to send them to a man-in-the-middle site.

A third critical flaw is related to errors that occur during text display. This hole can be exploited to corrupt memory and launch arbitrary code. Another is related to the verification of signatures bundled in the Network Security Services library

A fifth flaw can allow for arbitrary HTML and script coding across domains. Similarly, another vulnerability allows for coding when blocked pop-ups are opened. A final flaw is related to unspecified memory corruption that could lead to arbitrary code execution.

"Firefox 1.5.0.7 is a security and stability update that is part of our ongoing program to provide a safe internet experience for our customers," Mozilla said on its website. "We recommend that all users upgrade to the latest version."

A Mozilla representative could not be reached for comment.

Several researchers, including SANS experts in their latest Internet Security Vulnerabilities report, have said that as more users abandon Internet Explorer, hackers will turn their attention alternate web browsers, such as Firefox.

Users running Firefox 1.5 will receive an automatic update that a new version is available for download, the company said.

Click here to email Dan Kaplan.

prestitial ad