Thursday, December 18, 2008

Mozilla Fixes Security Bugs In Firefox Browser



Mozilla Fixes Security Bugs In Firefox Browser

By Stefanie Hoffman, ChannelWeb

7:44 PM EST Wed. Dec. 17, 2008
Mozilla patched numerous security flaws in its Firefox Web browser Tuesday, six of which were considered "critical," which pave the way for hackers to hijack users' sessions while they surf the Web.

The latest version of Firefox, 3.0.5, repaired a multitude of glitches that could enable remote hackers to execute malicious code that would shut down a vulnerable system or infiltrate a victim's computer and steal information.

One of the most serious vulnerabilities repaired by the update enabled attackers to inject malicious URLs into the session restore feature of the browser. The flaw could be used to violate the same origin policy and launch a cross-site scripting attack, which is often used by hackers to steal financial, identifying and other sensitive information while victims are running SessionStore.

Another critical error fixed by the Mozilla patch was found to be related to the XBL binding -- an issue that could also be used by attackers to violate the same origin policy and execute arbitrary JavaScript when the XBL binding is attached to an unloaded Web page.

In addition, Mozilla's update provided an umbrella fix for several critical memory corruption glitches in the Firefox engine, as well as other Mozilla-based products, which allowed attackers to crash vulnerable systems or execute malicious code if exploited.

The only bug that Mozilla rated "important" repaired an error that allowed attackers to redirect users to a malicious site in order to launch a cross-domain attack for data-theft purposes. Specifically, the issue allows attackers to steal information by creating a specially-crafted Web site that could access a limited amount of data from a different domain by loading a same-domain JavaScript URL that redirects users to an off-domain site.

However, exactly how much data would be at risk would "depend on the format of the data and how the JavaScript parser attempts to interpret it," according to Mozilla's advisory. In most of the files, the amount of data susceptible to theft would be relegated to the "first word or two," while some data files might allow more severe or comprehensive theft or repeated attacks, the advisory warned.

Meanwhile, the latest Mozilla security bulletin also repaired a total of 10 errors in Firefox 2, eight shared with version 3.0.5, updating the older version to 2.0.0.19.

Mozilla said that the security update was the final one before it officially retires version 2.0. Samuel Sidler, a Mozilla engineer, said on the Mozilla.dev.planning forum that the company was not planning to release any further security updates for Firefox 2, while mentioning that the Phishing Protection service, which protects users from fraud and other malicious attacks, will no longer be available for the older version of the browser. Sidler said that the company recommended that users upgrade to Firefox 3 "as soon as possible."

"It's free, and your settings and bookmarks will be preserved," he said.

source : http://www.crn.com/security/212501064

No comments:

Search Anything