Severity: Medium
23 February, 2007
Summary:
Late today, the Mozilla Foundation released updates fixing 26 security vulnerabilities in Firefox 1.5.0.9 and 2.0.0.1, for Windows, Linux, and Macintosh. If one of your Firefox users visits a malicious Web page, an attacker could exploit the worst of these vulnerabilities to execute code on that user’s computer, with that user’s privileges, possibly gaining complete control of the computer. If you run Firefox on any platform, you should download and deploy version 2.0.0.2 as soon as possible.
Exposure:
Yesterday, the Mozilla Foundation released Firefox 1.5.0.10 and Firefox 2.0.0.2, fixing 26 security vulnerabilities (as well as adding more Vista compatibility and new language support) in the popular Web browser. Some of these vulnerabilities could allow a remote attacker to execute arbitrary code on your users’ computers. We highlight a few of the more worrisome flaws below:
- Multiple Memory Corruption Vulnerabilities. Firefox suffers from several bugs that crash the browser and corrupt system memory. These flaws — twenty in total — involve different components of Firefox, such as its layout engine and its JavaScript engine. Mozilla presumes that a skilled attacker could exploit at least some of these memory corruption vulnerabilities to execute code on your computer. Of course, the attacker would first have to lure one of your Firefox users to a malicious Web site. If your user runs Firefox as a local administrator or root user, the attack could exploit this flaw to gain complete control of the victim’s computer. If you’d like more information on these twenty flaws, check out their individual Bug IDs in Mozilla’s alert.
Severity: Medium
23 February, 2007
Summary:
Late today, the Mozilla Foundation released updates fixing 26 security vulnerabilities in Firefox 1.5.0.9 and 2.0.0.1, for Windows, Linux, and Macintosh. If one of your Firefox users visits a malicious Web page, an attacker could exploit the worst of these vulnerabilities to execute code on that user’s computer, with that user’s privileges, possibly gaining complete control of the computer. If you run Firefox on any platform, you should download and deploy version 2.0.0.2 as soon as possible.
Exposure:
Yesterday, the Mozilla Foundation released Firefox 1.5.0.10 and Firefox 2.0.0.2, fixing 26 security vulnerabilities (as well as adding more Vista compatibility and new language support) in the popular Web browser. Some of these vulnerabilities could allow a remote attacker to execute arbitrary code on your users’ computers. We highlight a few of the more worrisome flaws below:
- Multiple Memory Corruption Vulnerabilities. Firefox suffers from several bugs that crash the browser and corrupt system memory. These flaws — twenty in total — involve different components of Firefox, such as its layout engine and its JavaScript engine. Mozilla presumes that a skilled attacker could exploit at least some of these memory corruption vulnerabilities to execute code on your computer. Of course, the attacker would first have to lure one of your Firefox users to a malicious Web site. If your user runs Firefox as a local administrator or root user, the attack could exploit this flaw to gain complete control of the victim’s computer. If you’d like more information on these twenty flaws, check out their individual Bug IDs in Mozilla’s alert.
Mozilla Impact rating: Critical.
- Two SSLv2 Buffer Overflow Vulnerabilities. Mozilla uses a custom set of security libraries called Network Security Services (NSS) to support various security protocols such as SSL, TLS, and PKCS. The NSS library suffers from two buffer overflow flaws involving its handling of the SSLv2 protocol. By enticing one of your users to a malicious Web site with a specially crafted public key certificate, an attacker could exploit one of these flaws to execute code on that user’s computer with that user’s privileges. However, Mozilla notes, “exploiting this overflow appears to be unreliable.” Furthermore, Firefox 2.0.x doesn’t enable SSLv2 by default. So this flaw primarily affects Firefox 1.5.x users.
Mozilla Impact rating: Critical. (less severe for 2.0.x users)
- Cookie-Stealing Vulnerability. A technically complicated flaw in Firefox could allow an attacker to tamper with cookies from other sites you visit. The flaw stems from the way Firefox handles something called the ‘location-hostname’ DOM property. In a nutshell, if an attacker can entice you into clicking a link on his malicious Web page, he can tamper with authentication cookies on your computer from any other Web site. Depending on what kind of information the third party site stores in its cookies, this could allow the attacker to seriously manipulate how that third party Web site displays and operates for you. To see this flaw in action, check out this benign Proof-of-Concept provided by the flaw’s discoverer, Michal Zalewski.
Mozilla Impact rating: High.
The twenty memory corruption vulnerabilities alone should convince any administrator to upgrade to 2.0.0.2 as soon as possible. However, if you’d like to know more about the remaining vulnerabilities, check out Firefox’s known issues page.
Solution Path:
Mozilla has updated Firefox in order to correct these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 2.0.0.2 as soon as possible. Mozilla also released Firefox version 1.5.0.10 to fix these issues for users who insist on sticking with the 1.5.x branch of Firefox. However, Mozilla plans to end 1.5.x support on April 24, 2007. We recommend that 1.5.x users migrate to 2.0.0.2 now.
Status:
The Mozilla Foundation has released Firefox 1.5.0.10 and 2.0.0.2, fixing these security issues.