Mozilla fixed a handful of critical vulnerabilities in Firefox 7 and Thunderbird 3.15. Users should be sure to download it from the actual Mozilla site and not get scammed.
Mozilla fixed eight known security flaws in the latest
version of the popular Firefox Web browser. Mozilla also fixed a cross-site
scripting bug in Firefox 6, six weeks after its release.
Firefox 7, released Sept. 27, contains fixes for six
"critical" and two "moderate" vulnerabilities in Firefox,
according to
Mozilla's
security advisory. The Firefox 6 XSS flaw was rated "high." A
different Integer underflow issue, rated "critical," was also fixed
in Thunderbird 3.15 email client.
Mozilla rates vulnerabilities as "critical" if
they can potentially be exploited by attackers to remotely run malicious code
and install software on the computer without user interaction.
"In short, if you don't keep your Web browser patched,
cyber-criminals might exploit a vulnerability to install malware on your
computer,"
Graham
Cluley, senior technology consultant at Sophos, wrote on the Naked Security
blog.
Four of the critical patches address problems in both
Firefox and Thunderbird. They address a use-after-free condition with OGG
headers, an exploitable crash in the YARR regular expression library, a code
installation issue with the Enter key and multiple memory flaws. The patch,
also available for both products, defends against multiple Location headers
caused by Carriage Return/Line Feed (CRLF) injection attacks. CRLF injection is
an application attack that inserts carriage returns to modify records and
lines.
Mozilla also adopted a cosmetic change from Google Chrome to
make it easier for users to tell when the Website is on HTTP or using HTTPS.
Firefox 7 suppresses the "http://" in Website addresses so the users
just see the address. If the site is configured to use HTTPS, Firefox 7 shows
the full URL, giving users a clear visual cue when site addresses change.
At least one scammer is trying to take advantage of the intense
interest in the latest version of Firefox. A search for "Firefox 7"
Google shows "firefox7.org" appearing high on the search results
page. The
official download
site is on Mozilla.org.
Firefox7.org displays a page with some promotional
information about the new version of the Web browser, according to Cluley. The
download links all point to a Google Blogspot page called "mozillas."
"As you may have guessed by now, Firefox7.org isn't run
by Mozilla," Cluely wrote on the
Naked
Security blog.
The domain was registered in May to an individual in China
named Xiaojuan Zhang. Interestingly, the fake Website does not appear on the
first page of search results on Bing.
The fake site doesn't do anything at the moment nor is it
hosting any malware, but as Cluley noted, "the site could be updated at
any time." Some of the pages contain Google Adwords so it is possible the
site is making some money, especially considering how highly ranked the page
currently is in Google Search.
"It seems pretty silly for Mozilla not to have
registered this domain to avoid this kind of thing from happening," Cluley
said.
In other changes, Mozilla is working on Firefox's reputation
as a memory hog. Firefox 7 can use up to 50 percent less memory than previous
versions, according to
Nicholas
Nethercote, developer at Mozilla.
Email
Print
