Firefox Dirty Dozen: Critical Update Nukes Code Execution Holes

The open-source browser is patched to fix identity theft, cross-site scripting and remote code execution vulnerabilities.

Mozilla's fast-growing Firefox browser has undergone a major security makeover to fix at least a dozen security flaws that put users at risk of identity theft, cross-site scripting and remote code execution attacks.

The update, released late Feb. 7, provides cover for four vulnerabilities rated "critical" and three that carry a "high risk" severity warning.
The Firefox release comes more than three weeks after the public disclosure of a "high risk" bug in the way the browser deals with certain add-ons.
"The chrome: URI scheme improperly allowed directory traversal that could be used to load JavaScript, images, and stylesheets from local files in known locations. This traversal was possible only when the browser had installed add-ons which used 'flat' packaging rather than the more popular .jar packaging, and the attacker would need to target that specific add-on," Mozilla confirmed in an alert.
The flaw was originally tagged as a "low risk" issue that could be exploited to hijack the contents of the browser's sessionstore.js file, which contains session cookie data and information about currently open Web pages, but was later updated when the higher severity risk was discovered.
In this latest patch roll-up, Mozilla warned that three of the vulnerabilities could be used to run arbitrary code. This could include drive-by installations of bots, Trojans, spyware and other malicious executables.
Another critical alert accompanying this update warns about "a series of vulnerabilities" that allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges.
The advisory only lists one CVE entry (the standard used to document and count software flaws) but mentions "an additional vulnerability" that can be exploited via the Web to inject script into another Web site, violating the browser's same-origin policy.
The third critical vulnerability note discusses browser crashes that showed evidence of memory corruption; because Mozilla assumes that they are potentially exploitable, they are listed as a serious security risk.
The open-source group warned that Thunderbird, which shares the browser engine with Firefox, could be vulnerable if JavaScript is enabled in the mail client.
"Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images," Mozilla said.
Separately, Mozilla user experience lead Mike Beltzner disclosed that Firefox 3 Beta 3 is on tap to ship to testers on Feb. 12. Firefox 3 is a major security-centric revision that includes a Google-powered malware blocker and a new anti-phishing feature that will completely block forged Web sites.