Firefox Dirty Dozen: Critical Update Nukes Code Execution Holes
The open-source browser is patched to fix identity theft, cross-site scripting and remote code execution vulnerabilities.Mozilla's fast-growing Firefox browser has undergone a major security makeover to fix at least a dozen security flaws that put users at risk of identity theft, cross-site scripting and remote code execution attacks. The update, released late Feb. 7, provides cover for four vulnerabilities rated "critical" and three that carry a "high risk" severity warning.
The Firefox 220.127.116.11 release comes more than three weeks after the public disclosure of a "high risk" bug in the way the browser deals with certain add-ons.
The flaw was originally tagged as a "low risk" issue that could be exploited to hijack the contents of the browser's sessionstore.js file, which contains session cookie data and information about currently open Web pages, but was later updated when the higher severity risk was discovered.
In this latest patch roll-up, Mozilla warned that three of the vulnerabilities could be used to run arbitrary code. This could include drive-by installations of bots, Trojans, spyware and other malicious executables.
Another critical alert accompanying this update warns about "a series of vulnerabilities" that allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges.
The advisory only lists one CVE entry (the standard used to document and count software flaws) but mentions "an additional vulnerability" that can be exploited via the Web to inject script into another Web site, violating the browser's same-origin policy.
The third critical vulnerability note discusses browser crashes that showed evidence of memory corruption; because Mozilla assumes that they are potentially exploitable, they are listed as a serious security risk.
Separately, Mozilla user experience lead Mike Beltzner disclosed that Firefox 3 Beta 3 is on tap to ship to testers on Feb. 12. Firefox 3 is a major security-centric revision that includes a Google-powered malware blocker and a new anti-phishing feature that will completely block forged Web sites.