All three major Web browsers have been patched this week as Chrome and Firefox gets updated again to close a remotely exploitable flaw. Microsoft fixed several bugs in Internet Explorer as well.
Mozillajust days after fixing multiple security flaws in their Web browsershave
updated their products again to fix a serious bug that could result in remote code
On Feb. 17, Mozilla
fixed an integer overflow bug in the libpng graphics library used by its
Firefox Web browser and Thunderbird mail client. Google fixed the same bug two
days earlier in its own update to the Chrome Web browser. An attacker could
craft malicious images that exploit this bug and compromise users by simply
having them view the image using vulnerable software, Mozilla said in its security advisory
15 security update had fixed the libpng vulnerability along with 12 other high-
and medium-risk integer and heap overflow and use-after-free vulnerabilities.
The latest version of Chrome also included the new version of the Adobe Flash
Player plug-in to address a recently patched zero-day flaw. Google paid at
least $6,837 in bug bounties to researchers who identified the flaws, according
to a post by Jason Kersey on the Google Chrome blog
"bug is remotely exploitable and can lead to arbitrary code
execution," Mozilla warned in its advisory.
major Web browsers were updated this week to address critical security flaws.
Google's latest release actually follows another update on Feb. 9 when the
company closed 20 flaws in Chrome. Only one of the bugs had been rated
critical, but six were considered high-risk. In that release, Google also
announced a new security feature that would check for malicious downloads by
scanning executable files. If the executable being downloaded didn't match a
whitelist of approved files, Chrome would ping Google servers for more
information about the Website's trustworthiness, such as whether the source was
known to host malware.
bundles the Flash Player plug-in with Chrome, it is responsible for updating
the browser whenever Adobe releases an update of the player. Adobe updated Flash Player
on Feb. 15 and
disclosed a cross-site scripting flaw that was already being exploited in
targeted attacks against Internet Explorer users on Windows systems. Users were
being tricked into clicking on a malicious link delivered in an email message
to exploit the XSS flaw, Adobe said.
also just updated its brand-new Firefox 10, released in January, with version 10.0.1
on Feb. 11. The use-after-free
flaw was in a component that was used by Firefox, Thunderbird and SeaMonkey.
The flaw seems to have been introduced in Firefox 10, since versions 9 and
earlier were not affected by this issue.
On Feb. 14, Microsoft
addressed four critical flaws in Internet Explorer as part of its February Patch Tuesday
. If exploited
successfully, the vulnerabilities could allow remote code execution if a user
views a specially crafted Web page using Internet Explorer versions 7, 8 or 9.
The attacker could gain the same user rights as the logged-on user, according
increasingly relying on browser exploits to compromise users, so it was
critical that users and administrators update to the latest versions as soon as
possible, security experts advised.