Mozilla Patches 10 Serious Security Vulnerabilities in Firefox 6

Mozilla addressed a handful of critical and high-risk security vulnerabilities in the latest Firefox release.

Mozilla fixed 10 "critical" and "high-risk" security vulnerabilities in its popular Firefox Web browser, several of which could have led to remote code execution by malicious attackers.

Mozilla addressed vulnerabilities relating to memory management, heap overflows and unsigned scripts in Firefox 6, released Aug.17. The latest version arrived just two months after Firefox 5, and is more or less a cosmetic upgrade, albeit with 1,300 under-the-hood changes and fixes.

Ten of the fixes closed critical or "high-risk" security flaws, according to the accompanying security advisory. Several of the bugs, if exploited, could have resulted in a remote attacker running code just by having the unsuspecting user browse on a malicious Website.

"We presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in the security advisory for Firefox 6.

Mozilla patched four critical memory-safety flaws in the browser engine used in Firefox 4, Firefox 5 and other Mozilla products using the engine. The bugs resulted in memory corruption "under certain circumstances," Mozilla said. Another critical bug allowed unsigned JavaScript code to run a script inside a signed JAR file with the permissions and identity of that file.

Mozilla fixed two critical WebGL issues reported by Michael Jordon, a researcher with Context IS. Jordon found that an overly long shader program could cause a string class used to store the code to experience a buffer overflow and crash. Another potentially exploitable heap overflow bug was in the ANGLE library used by Mozilla's WebGL implementation in Firefox.

Mozilla also fixed a dangling pointer vulnerability in a SVG text manipulation routine in Firefox. Mozilla also addressed two high-risk issues in Content Security Policy where credentials were being leaked from the violation reports. Finally, Mozilla fixed the bug with Windows D2D hardware acceleration where image data from one domain could be read by a different domain.

Other security changes include adding domain highlighting in the URL to make phishing attempts more apparent. The entire Web page address in the address bar is greyed out, with just the actual domain name in black. If the site is a phishing site, users would notice the different domain name much more easily. This feature already exists in Internet Explorer 9 and in Google Chrome.

The area on the left of the URL in the address bar, the "side identity block," displays whether the Website is secure. Clicking on the block displays information as to whether the page is encrypted or verified, and the identity of the site owner and verifier.

"The Awesome Bar (URL bar) highlights a Website's domain name and the identity block is more prominent to help quickly identify where you are on the Web," Mozilla said in a blog post announcing the release.

Users can also set privacy permissions on a site-by-site basis. By typing "about:permissions" in the address bar, uses can access the page to specify which sites could store passwords, get access to the user's location, set cookies, open popup windows and maintain permanent storage.

Mozilla switched to a rapid release process for its Web browser this year, delivering new features, performance improvements and security upgrades every six weeks. The goal is to deliver continuous improvement and make the updates and changes seamless, Mozilla has said.

Firefox 7, expected in October, will most likely be a more substantial upgrade, with improvements in the JavaScript engine to use much less memory.