Thursday, December 21, 2006

Mozilla fixes 8 security vulnerabilities in Firefox 2.


Mozilla today released security updates for the 8 vulnerabilities that was found in the Firefox 2. Among this 5 are rated as critical by the Mozilla security advisory.

The following are the vulnerabilities that have been fixed in Firefox 2.

MFSA 2006-76 XSS using outer window's Function object
MFSA 2006-75 RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)

However the recent vulnerability which was discovered in Firefox 2 which is know as the Reverse cross site request vulnerability has not yet been fixed. This vulnerability allows malicious people to conduct phishing attacks and as it was advised when this vulnerability was discovered, the only solution available for this now is to disable the password manager.

This is the first security release for Firefox 2 since it's release in late October.

Mozilla has also released security updates for the earlier versions of the browser and you can find a list of all the security patches in this page.

Users should get an automatic update notification. Users who have turned off update notification can use the "Check for Updates..." item on the Help menu. If the menu item is disabled you will have to install from a more privileged user account. You can also download the security updates directly by going to the following pages:-

Firefox 2.0.0.1
Firefox 1.5.0.9
Thunderbird 1.5.0.9

Mozilla also advises that users should update to Firefox 2.0, as the 1.5.x line will be provided with security fixes only until April 24, 2007.


Google