Mozilla Plugs Firefox 3.6.13 For 11 Flaws
Critical security update for the open source browser issued as work continues on Firefox 4.
Mozilla is updating its open source Firefox web browser to version 3.6.13, fixing at least 11 security issues, nine of which are rated as critical. In contrast, the Firefox 3.6.12 update issued at the end of October, fixed a single critical flaw.
Among the critical security fixes to Firefox 3.6.13 are multiple memory safety hazards which Mozilla has grouped under a single advisory. One of the memory flaws was reported by famed security researcher 'Nils' who in 2009, demonstrated how he could exploit both IE 8 and Firefox 3.x with a previously unreported zero-day flaw at the PWN2OWN security contest.
Firefox 3.6.13 also provides a critical fix for a buffer overflow security issue that affects Windows users.
"Dirk Heinrich reported that on Windows platforms when document.write() was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display," Mozilla warned in its advisory. "Such cases triggered an invalid read past the end of an array causing a crash which an attacker could potentially use to run arbitrary code on a victim's computer."
Other buffer related critical fixes include a critical fix for a crash and remote code executing issue while using HTML tags inside of a XUL tree.
With Firefox 3.6.13, Mozilla is also providing a fix for a security issue involving OpenType fonts, that was independently report by both Red Hat Security Response Team member Marc Schoenefeld and Mozilla security researcher Christoph Diehl. A new OTS font santizer has now been included with Firefox to help mitigate the risks that users could have been exposed to from a malicious OpenType font.
Additionally there are several critical fixes for privilege escalation attacks, one of which specifically related to the use of a Java LiveConnect script.
Mozilla is also issuing an updated fix for a flaw that had originally been reported in July of 2009 and thought not to affect the Firefox 3.6.x code. The flaw is triggered by the use of the Firebug developer tools add-on, and could potentially have led to arbitrary code execution.
SSL security is another topic addressed in the new Firefox update. Google security researcher Michal Zalewski is credited by Mozilla for the discovery of a high impact location bar SSL spoofing flaw. According to Mozilla's advisory, when a window was opened to a site resulting in a network or certificate error page, the opening site could access the document inside the opened window and inject arbitrary content.
The new stable release of Firefox comes as developers continue to work on the next generation Firefox 4 web browser, which is currently at its Beta 7 milestone. With Firefox 4, Mozilla is set to introduce a number of enhanced features that are intended to secure the Web browsing experience.
Keep up with browser security news; Follow eSecurityPlanet on Twitter: @eSecurityP.