 |
Another day, another browser (or two) patched for security vulnerabilities.
This time, it’s Mozilla updating its open source Firefox Web browsers to versions 3.0.5 and 2.0.0.19 for at least 10 different vulnerabilities, four of which are critical.
The release covers more than security updates. The Firefox 3.0.05 release also replaces the Mozilla Firefox End User License Agreement (EULA). In addition, the 2.0.0.19 update is the end of the line for security updates to the 2.x series.
“Mozilla is not planning any further security and stability updates for Firefox 2, and recommends that you upgrade to Firefox 3 as soon as possible,” Mozilla developer Samuel Sidler wrote in a mailing list posting.
The Firefox 2.x series debuted in October of 2006.
Changes to the Mozilla EULA had been under discussion since at least September of this year.
The issue among many supporters was whether Firefox needed a EULA, given that the software is open source. Mozilla has now replaced the EULA with a new “Know Your Rights” info bar on initial install, which explains what users are able to do with the software.
Regarding the critical security fixes, Mozilla has patched three different cross site scripting vulnerabilities with the update. The Mozilla Foundation Security Advisory 2008-68 details a XSS and JavaScript privilege escalation issue that could potentially allow for arbitrary script execution.
On the other hand, Mozilla’s Security Advisory 2008-69 fixes XSS vulnerabilities in Firefox’s SessionStore.
“Mozilla security researcher moz_bug_r_a4 reported vulnerabilities in the session-restore feature by which content could be injected into an incorrect document storage location, including storage locations for other domains,” Mozilla’s advisory warns. “An attacker could utilize these issues to violate the browser’s same-origin policy and perform an XSS attack while SessionStore data is being restored.”
Google security researcher Marius Schilder is credited by Mozilla for reporting the XMLHttpRequest (XHR)
Another Google security researcher, Chris Evans, is credited with the discovery of a Cross-domain data theft via script redirect error message vulnerability. According to the Mozilla advisory, the vulnerability could potentially allow an attacker to steal private data from users who are authenticated on the redirected Web site. Evans found that a JavaScript URL could be used to redirect users to a different domain with data.
“Upon attempting to load the data as JavaScript a syntax error is generated that can reveal some of the file context via thewindow.onerror DOM API,” Mozilla said.
The Firefox 3.0.5 update comes nearly a month after Mozilla issued its Firefox 3.0.4 update. It also comes as Mozilla rival Microsoft is rushing out an out of cycle patch for a critical zero day flaw in the dominant Internet Explorer Web browser.
And development work moves on. Mozilla continues to oversee work on its next generation Firefox 3.1 browser, which hit its Beta 2 milestone earlier this month.
