The most critical flaw in Firefox hasn’t been addressed in the update released today.
Mozilla’s out with Firefox updates and is urging that customers upgrade immediately to fix critical security holes and stability issues. Issued today were Firefox 1.5.0.10, Firefox 2.0.0.2, and Thunderbird 1.5.0.10, available for Windows, Mac and Linux at getfirefox.com and getthunderbird.com.
Mike Schroepfer, vice president of engineering, said in a written release that the update resolves Firefox’s critical location.hostname vulnerability, along with other unspecified security and stability issues.
Unmentioned was another critical flaw, discovered yesterday, having to do with memory corruption and possible PC takeover.
Digging into the details of the fixes initially revealed that the memory corruption issue was indeed fixed in 2.0.0.2.
However, a Mozilla spokesperson has said that she has received confirmation that the memory corruption bug (bug 371321) has not been addressed in the 2.0.0.2 update. “Mozilla is investigating the issue but does not have a comment at this time,” she said in an e-mail exchange.
The full list of fixes in that release:
MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks. This is a high severity flaw, with the vulnerability able to be used to gather sensitive data from sites in other windows or to inject data or code into those sites, requiring no more than normal browsing actions. MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow MFSA 2007-05 XSS and local file access by opening blocked popups MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot MFSA 2007-03 Information disclosure through cache collisions MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2). This is the most critical of the bunch, with the vulnerability able to be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
The rest of the list is composed of flaws that are moderate to low risk. The critical location.hostname flaw, along with the other low- to medium-risk flaws, make the upgrade advisable, but Firefox at this point appears to still be vulnerable to the worst of the bunch.
*Note: This posting was changed to reflect Mozilla’s update on bug 371321 not having been addressed in the update.