New Firefox Fixes Holes
The open source browser is treated to an update that corrects 12 security vulnerabilities, two 'borderline critical.'
Firefox 1.0.5 is the first update to the popular alternative browser since May 11, when the organization fixed three critical bugs to the Mozilla Update Web service. Firefox 1.0.4 was rushed out the door days after two of the flaws were published by an outfit called the Greyhats Security Group.
The update addresses 12 security issues discovered in the Firefox code, as well as stability fixes to the browser. Chris Hofmann, Mozilla director of engineering, said all the security vulnerabilities, which range from low to two that are critical, have no known exploits.
In addition to Firefox, officials plan to release updates to the Thunderbird e-mail application and Mozilla suite to correct the vulnerabilities addressed in the browser. Hofmann expects Thunderbird and Mozilla updates to be released Wednesday.
Details of the two critical bugs are being withheld until July 20, but both deal with vulnerabilities that could lead to some big headaches for Firefox users.
The first critical bug fixed is described as a ''code execution through shared function objects'' flaw that would let a Web script get to a privileged object, letting it execute code with enhanced privileges like modifying or deleting files.
The other is a critical vulnerability that allows standalone applications like media players to run arbitrary code through the browser. By default, Firefox takes the content from a currently open browser window and puts it into an external window opened by the application.
For example, if a Firefox user is at their online bank and runs an application that opens a new Firefox window, that application could now contain the user's sensitive information.