Severity: Medium
19 October, 2007
Summary:
Late yesterday, the Mozilla Foundation released an update to fix ten security vulnerabilities in Firefox 2.0.0.7, for Windows, Linux, and Macintosh. If one of your Firefox users visits a malicious web page, an attacker could exploit the worst of these vulnerabilities to execute code on your user’s computer, with your user’s privileges, possibly gaining complete control of the computer. If you run Firefox on any platform, you should download and deploy version 2.0.0.8 at your earliest convenience.
Exposure:
Yesterday, the Mozilla Foundation released Firefox 2.0.0.8, fixing ten security vulnerabilities in the popular web browser. We summarize the three most critical vulnerabilities below:
- Two memory corruption vulnerabilities. Firefox suffers from two unspecified crash bugs, which corrupt memory. Mozilla presumes that with enough effort some of these memory corruption flaws could be exploited to run arbitrary code. To exploit these flaws, an attacker would first have to trick one of your users into visiting a specially crafted web page. If your user took the bait, the attacker could execute code on that user’s machine, with that user’s privileges. If your user were a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
Severity: Medium
19 October, 2007
Summary:
Late yesterday, the Mozilla Foundation released an update to fix ten security vulnerabilities in Firefox 2.0.0.7, for Windows, Linux, and Macintosh. If one of your Firefox users visits a malicious web page, an attacker could exploit the worst of these vulnerabilities to execute code on your user’s computer, with your user’s privileges, possibly gaining complete control of the computer. If you run Firefox on any platform, you should download and deploy version 2.0.0.8 at your earliest convenience.
Exposure:
Yesterday, the Mozilla Foundation released Firefox 2.0.0.8, fixing ten security vulnerabilities in the popular web browser. We summarize the three most critical vulnerabilities below:
- Two memory corruption vulnerabilities. Firefox suffers from two unspecified crash bugs, which corrupt memory. Mozilla presumes that with enough effort some of these memory corruption flaws could be exploited to run arbitrary code. To exploit these flaws, an attacker would first have to trick one of your users into visiting a specially crafted web page. If your user took the bait, the attacker could execute code on that user’s machine, with that user’s privileges. If your user were a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
- JavaScript privilege elevation vulnerability. According to Mozilla, an attacker can use a Script object to modify XPCNativeWrappers, which in turn could allow the attacker to execute JavaScript with the same privileges as the Firefox user. Techno-babble aside, that means that if an attacker can get your user to visit his malicious web page, and he can convince that user to interact with his page in a particular way, he could exploit this vulnerability to execute malicious JavaScript on your user’s computer with the same privileges as your user. This malicious JavaScript could do just about anything that your user could. So if that user has local administrative or root privileges, an attacker could potentially leverage this vulnerability to gain complete control of the user’s machine.
- Firefox and Internet Explorer code execution vulnerability. In a past Wire post, we described a critical vulnerability in Internet Explorer’s (IE) URI handler that could be abused to launch a cross-browser scripting attack with Firefox. This attack only works if your users have both Firefox and Internet Explorer installed. If an attacker can entice one of your users to click a specially crafted link using IE, he could execute malicious JavaScript in Firefox with your user’s security privileges. If your user had local administrator privileges, the attacker could exploit this flaw to gain complete control of the user’s machines. Mozilla partially corrected the Firefox portion of this vulnerability in July. However, security researchers found new ways of exploiting this flaw using Windows XP with IE7. Today’s update fixes these additional flaws.
The remaining vulnerabilities include Denial of Service (DoS), information disclosure, and URL spoofing flaws. If you’d like to know more about them, check out Firefox’s known issues page. However, the critical vulnerabilities above should convince you to upgrade your Firefox users to the fixed version at your earliest convenience.
As an aside, the 2.0.0.8 update also adds Mac OS X 10.5 (Leopard) support to Firefox.
Solution Path:
Mozilla has updated Firefox, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 2.0.0.8 as soon as possible. Mozilla no longer supports the 1.5.x branch of Firefox. We recommend that 1.5.x users migrate to 2.0.0.8 now.
Note: The latest versions of Firefox 2.0 automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to automatically download and install the update, or to merely inform the user that the update exists.
For All WatchGuard Users:
Some of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
Status:
The Mozilla Foundation has released Firefox 2.0.0.8, fixing these security issues.