Latest Firefox Update Fixes Eight Security Flaws
Severity: Medium
4 February, 2008
Summary:
This vulnerability affects: Firefox 3.0.5 (and previous versions) for Windows, Linux, and Macintosh
How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
What to do: Upgrade to Firefox 3.0.6
Exposure:
Late yesterday, the Mozilla Foundation released Firefox 3.0.6, fixing approximately eight security vulnerabilities (based on CVE-IDs) in the popular web browser. We summarize three of the vulnerabilities below:
Latest Firefox Update Fixes Eight Security Flaws
Severity: Medium
4 February, 2008
Summary:
This vulnerability affects: Firefox 3.0.5 (and previous versions) for Windows, Linux, and Macintosh
How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
What to do: Upgrade to Firefox 3.0.6
Exposure:
Late yesterday, the Mozilla Foundation released Firefox 3.0.6, fixing approximately eight security vulnerabilities (based on CVE-IDs) in the popular web browser. We summarize three of the vulnerabilities below:
Memory corruption vulnerabilities (2009-001). Firefox suffers from several crash bugs, which corrupt memory. Mozilla’s alert shares scant detail about these memory corruption flaws, but it does say the flaws lie within Firefox’s layout engine and its Javascript engine (the flaws also affect some other Mozilla-based products). Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. And if the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
Mozilla Impact rating: Critical
XSS vulnerability in chrome XBL method (2009-002). Firefox suffers from a cross-site scripting (XSS) vulnerability involving the way it handles a particular method (specifically, the chrome XBL method). By enticing one of your users into clicking a specially crafted link, an attacker can exploit this flaw to bypass the same origin policy. Among other things, this allows attackers to execute scripts under the context of a legitimate web site or read data from a legitimate site. For instance, if your users visit secure web sites which store sensitive data, an attacker might leverage this flaw to steal that sensitive data.
Mozilla Impact rating: High
XSS vulnerabilities in SessionStore (2009-003). Since version 2.x, Firefox has shipped with a SessionStore feature that saves your current browser session data. For example, if Firefox crashes when you have several web sites opened in various tabs, Firefox can recover all those tabs and web sessions when you re-run the program. Unfortunately, Firefox suffers from a convoluted security vulnerability involving the way SessionStore restores closed tabs. If an attacker knows the specific location of a file he’d like to steal, and can convince one of your users to close and then restore a Firefox tab, he can exploit this vulnerability to steal any file on that user’s computer.
Mozilla Impact rating: High
Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that this update fixes.
Solution Path:
Mozilla has updated Firefox 3, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.0.6 as soon as possible. We recommend that 1.5.x and 2.x users migrate to 3.0.6 now.
Note: The latest versions of Firefox 3.0 automatically inform you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tabUpdate tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.
For All Users:
Many of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
Status:
The Mozilla Foundation has released Firefox 3.0.6, fixing these security issues.