Firefox Update Zaps Code Execution Bugs

The most serious of the flaws affect the browser's JavaScript engine and could lead to privilege escalation or arbitrary code execution attacks.

Mozilla is shipping a "critical" Firefox update to provide patches for at least 11 security vulnerabilities affecting the open-source browser.
The most serious of the flaws affects the browser's JavaScript engine and could lead to privilege escalation or arbitrary code execution attacks, Mozilla said in release notes on March 25 that accompanied the Firefox update.
The new Firefox fixes six different security issues-11 documented vulnerabilities-that put Windows users at risk of authentication credentials theft, information disclosure, script execution with elevated privileges, denial-of-service and cross-site request forgery attacks.
Mozilla warned that some of these issues also affect Mozilla Thunderbird prior to and SeaMonkey prior to 1.1.9.
The most serious issue, detailed in the MSFA 2008-14, addresses at least three flaws that allow scripts from page content to run with elevated privileges. In certain scenarios, Mozilla has confirmed that malicious code could be executed through XPCNativeWrapper pollution. It has also been proven that Firefox could be forced to run JavaScript code using the wrong principal leading to universal XSS and arbitrary code execution.
Because Thunderbird shares the browser engine with Firefox, the mail client could be vulnerable if JavaScript is enabled. "This is not the default setting and we strongly discourage users from running JavaScript in mail," Mozilla said.
The open-source group also urged Firefox users to pay special attention to MSFA 2008-15, which addresses browser crashes with evidence of memory corruption.
"Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," the group warned.
"Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images."
The latest update also fixes a problem with the HTTP Referer, a privacy issue with SSL Client Authentication and several bugs in the way "jar:" content is fetched.