Google and Mozillajust days after fixing multiple security flaws in their Web browsershave updated their products again to fix a serious bug that could result in remote code execution.
On Feb. 17, Mozilla fixed an integer overflow bug in the libpng graphics library used by its Firefox Web browser and Thunderbird mail client. Google fixed the same bug two days earlier in its own update to the Chrome Web browser. An attacker could craft malicious images that exploit this bug and compromise users by simply having them view the image using vulnerable software, Mozilla said in its security advisory.
Google’s Feb. 15 security update had fixed the libpng vulnerability along with 12 other high- and medium-risk integer and heap overflow and use-after-free vulnerabilities. The latest version of Chrome also included the new version of the Adobe Flash Player plug-in to address a recently patched zero-day flaw. Google paid at least $6,837 in bug bounties to researchers who identified the flaws, according to a post by Jason Kersey on the Google Chrome blog.
The libpng “bug is remotely exploitable and can lead to arbitrary code execution,” Mozilla warned in its advisory.
All three major Web browsers were updated this week to address critical security flaws. Google’s latest release actually follows another update on Feb. 9 when the company closed 20 flaws in Chrome. Only one of the bugs had been rated critical, but six were considered high-risk. In that release, Google also announced a new security feature that would check for malicious downloads by scanning executable files. If the executable being downloaded didn’t match a whitelist of approved files, Chrome would ping Google servers for more information about the Website’s trustworthiness, such as whether the source was known to host malware.
Since Google bundles the Flash Player plug-in with Chrome, it is responsible for updating the browser whenever Adobe releases an update of the player. Adobe updated Flash Player on Feb. 15 and disclosed a cross-site scripting flaw that was already being exploited in targeted attacks against Internet Explorer users on Windows systems. Users were being tricked into clicking on a malicious link delivered in an email message to exploit the XSS flaw, Adobe said.
Mozilla had also just updated its brand-new Firefox 10, released in January, with version 10.0.1 on Feb. 11. The use-after-free flaw was in a component that was used by Firefox, Thunderbird and SeaMonkey. The flaw seems to have been introduced in Firefox 10, since versions 9 and earlier were not affected by this issue.
On Feb. 14, Microsoft addressed four critical flaws in Internet Explorer as part of its February Patch Tuesday. If exploited successfully, the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer versions 7, 8 or 9. The attacker could gain the same user rights as the logged-on user, according to Microsoft.
Attackers are increasingly relying on browser exploits to compromise users, so it was critical that users and administrators update to the latest versions as soon as possible, security experts advised.