The Mozilla Foundation late Thursday rolled out a major security update to fix several known cross-site scripting and domain-spoofing vulnerabilities in the upstart Firefox browser.
The upgrade also includes patches for two serious flaws that could allow malicious attackers to spoof the source displayed in the “Download Dialog” box or to spoof the content of Web sites.
Chris Hoffman, director of engineering at the Mozilla Foundation, described the overall Firefox upgrade as “moderately critical” and urged users to apply the fixes as a matter of urgency.
With the IDN patch, Hoffman said the browser now will display the IDN Punycode in the address bar, effectively blocking the spoofing of URLs.
The problem is caused because of an unintended result of the IDN implementation, which allows the use of international characters in domain names.
According to a previous warning from research firm Secunia, the flaw could be exploited to spoof the URL displayed in the address bar, SSL (Secure Sockets Layer) certificate and status bar.
Hoffman said a more comprehensive fix would call for coordination between domain name registrars, certificate authorities and rival browser developers. “Were still working with all those vendors to figure out a better solution for handling this issue. We need to all work together to support the spirit of the IDN specification, but we have to ensure that all users are protected,” he said.
Firefox 1.0.1 also corrects a known weakness in the browser that can be exploited by malicious people to trick users into performing unintended actions. The problem is that pop-up windows can overlay modal dialogs to hide the information text in a download or security dialog in order to trick a user into accepting it.
Hoffman said the upgrade also includes a fix for a problem in the way long subdomains and paths are displayed by the browser. An attacker could exploit the hole to obfuscate what is being displayed in the source field of the Download Dialog box.
The upgrade also covers another vulnerability that can allow a Web site to inject content into another sites window if the target name of the window is known. According to Secunias warning, that flaw could allow a malicious Web site to spoof the content of a pop-up window opened on a trusted Web site.
Despite the security makeover, Hoffman conceded that two other known vulnerabilities remain unpatched because of compatibility testing issues. These include a cross-domain cookie-injection flaw and a Java Plug-in tab spoofing weakness.
Regarding the cookie-injection bug, Hoffman said Mozilla developers are working closely with teams from Opera and Safari to figure out a way to provide a fix without breaking the specifications that cover cookies.
He said the foundation also is working closely with Sun Microsystems Inc. to create and test the Java Plug-in flaw.
The major security upgrade comes at a crucial time for Firefox, which has enjoyed steady growth in the past six months, largely because of security-related problems with Microsoft Corp.s dominant Internet Explorer browser.
Driven largely by a grass-roots marketing effort, the Firefox browser has counted more than 27 million downloads over the past three months.