Mozilla fixed eight known security flaws in the latest version of the popular Firefox Web browser. Mozilla also fixed a cross-site scripting bug in Firefox 6, six weeks after its release.
Firefox 7, released Sept. 27, contains fixes for six “critical” and two “moderate” vulnerabilities in Firefox, according to Mozilla’s security advisory. The Firefox 6 XSS flaw was rated “high.” A different Integer underflow issue, rated “critical,” was also fixed in Thunderbird 3.15 email client.
Mozilla rates vulnerabilities as “critical” if they can potentially be exploited by attackers to remotely run malicious code and install software on the computer without user interaction.
“In short, if you don’t keep your Web browser patched, cyber-criminals might exploit a vulnerability to install malware on your computer,” Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog.
Four of the critical patches address problems in both Firefox and Thunderbird. They address a use-after-free condition with OGG headers, an exploitable crash in the YARR regular expression library, a code installation issue with the Enter key and multiple memory flaws. The patch, also available for both products, defends against multiple Location headers caused by Carriage Return/Line Feed (CRLF) injection attacks. CRLF injection is an application attack that inserts carriage returns to modify records and lines.
Mozilla also adopted a cosmetic change from Google Chrome to make it easier for users to tell when the Website is on HTTP or using HTTPS. Firefox 7 suppresses the “http://” in Website addresses so the users just see the address. If the site is configured to use HTTPS, Firefox 7 shows the full URL, giving users a clear visual cue when site addresses change.
At least one scammer is trying to take advantage of the intense interest in the latest version of Firefox. A search for “Firefox 7” Google shows “firefox7.org” appearing high on the search results page. The official download site is on Mozilla.org.
Firefox7.org displays a page with some promotional information about the new version of the Web browser, according to Cluley. The download links all point to a Google Blogspot page called “mozillas.”
“As you may have guessed by now, Firefox7.org isn’t run by Mozilla,” Cluely wrote on the Naked Security blog.
The domain was registered in May to an individual in China named Xiaojuan Zhang. Interestingly, the fake Website does not appear on the first page of search results on Bing.
The fake site doesn’t do anything at the moment nor is it hosting any malware, but as Cluley noted, “the site could be updated at any time.” Some of the pages contain Google Adwords so it is possible the site is making some money, especially considering how highly ranked the page currently is in Google Search.
“It seems pretty silly for Mozilla not to have registered this domain to avoid this kind of thing from happening,” Cluley said.
In other changes, Mozilla is working on Firefox’s reputation as a memory hog. Firefox 7 can use up to 50 percent less memory than previous versions, according to Nicholas Nethercote, developer at Mozilla.