Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Mozilla plugs critical flaws with Firefox patch
Published: 2008-02-08

Software maker Mozilla released an update on Friday for its Firefox browser, closing 10 security holes including a directory traversal issue ranked as High severity and three Critical issues.

While not the most critical issue, a vulnerability in the way the browser handles plug-ins packaged in a certain way could allow an attacker the ability to gather information about the target's browsing session. The issue was originally disclosed by an outside researcher.

"An attacker can use this vulnerability to collect session information, including session cookies and session history," Window Snyder, Mozilla's chief security officer, wrote in a blog post at the end of January. "Firefox is not vulnerable by default. Only users that have installed 'flat' packed add-ons are at risk."

The three issues rated Critical by Mozilla include a memory corruption vulnerability, a flaw that allows scripts to escape the sandbox, and a third security hole that allows navigation history information to be compromised and possibly allow code execution, according to Mozilla's release notes.

Mozilla and Microsoft have both boasted about the security of their respective browsers. Following the release of Internet Explorer 7 and Firefox 2.0, the two organizations faced off over the browsers' phishing features. In July, the two groups argued over whether the browsers should check uniform resource identifiers (URIs) before passing them to other applications. Mozilla quickly fixed the issue, while Microsoft originally argued that the problem should be handled by third-party application, before ultimately releasing a patch.

The update increments the browser's version to and can be downloaded through Firefox's Help menu.

If you have tips or insights on this topic, please contact SecurityFocus.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus