Web & communication software

Mozilla patches critical Firefox flaws

Mozilla Tuesday patched seven security vulnerabilities in Firefox, two of them labeled “critical,” in the browser’s first update for 2009.

Firefox 3.0.6 fixes about half the number of bugs that Mozilla quashed in December with the previous security update.

Of the seven flaws, two were rated “critical,” by Mozilla, two “high,” one “moderate” and two “low” in the company’s four-step scoring system. Both of the critical vulnerabilities may have significant exploit potential, Mozilla said.

“Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort, at least some of these could be exploited to run arbitrary code,” the company’s advisory read. If so, hackers could use the bugs to crash the browser, then introduce their own malicious code into a vulnerable system, or both.

Other patches plugged a cross-site scripting hole—a type of bug often used by identity thieves—and another flaw that could be exploited to steal data from Web forms.

One of the seven patches was a second attempt to fix a problem first addressed in a November 2008 update. Although Mozilla rated the bug as moderate, the second-lowest in its scale, it said the vulnerability “could potentially be used by an attacker to inject arbitrary code,” a description usually reserved for critical flaws. Mozilla justified the lower ranking by saying that any attack “has relatively high complexity.”

Mozilla also warned users of the older Firefox 2.0 that their browser is vulnerable to some of the bugs patched in Version 3.0, although it didn’t get into specifics. “If you’re still using Firefox 2.0.0.x, this version is no longer supported and contains known security vulnerabilities,” said Samuel Sidler, a Mozilla engineer, in a post to the “mozilla.dev.planning” message group Tuesday.

Firefox 2.0 was retired from support in mid-December. Since then, Mozilla has made a third and final attempt to get Firefox 2.0 users to update to the newer Firefox 3.0, and warned users that Google has shut off antiphishing protection in the former.

According to the latest data from Web metrics company Net Applications, Firefox 2.0 accounts for about 13 percent of Firefox’s market share.

Not surprisingly, Mozilla Messaging’s Thunderbird e-mail client, which uses the Firefox engine, primarily for JavaScript rendering, was not patched Tuesday. It remains at Version 2.0.0.19, a late December update. Until Thunderbird catches up—an update is currently being tested—users can protect themselves against the two related Firefox vulnerabilities by disabling JavaScript in the e-mail program.

The new version of Firefox can be downloaded for Mac OS X from the Mozilla site. Current users can also call up their browser’s built-in updater, or wait for the automatic update notification, which should pop up in the next 48 hours.

Subscribe to the Apple @ Work Newsletter

Comments