Mozilla has released a new update for its open source Firefox Web browser, closing the door on a handful of security vulnerabilities found in previous versions.
The new Firefox 3.5.6 includes seven security advisories detailing fixes in the release, three of which are for issues that Mozilla described as “critical.”
Two of the critical fixes deal with media-related vulnerabilities in particular. One vulnerable component is the liboggplay library, which is used by Firefox 3.5.x as part of its support for HTML 5 audio and video tags.
“Mozilla discovered several bugs in liboggplay which posed potential memory safety issues,” Mozilla said in its advisory. “The bugs, which were fixed, could potentially be used by an attacker to crash a victim’s browser and execute arbitrary code on their computer.”
The second media-related vulnerability fixed in Firefox 3.5.6 comes by way of a flaw in the libtheora video library, which is also part of Firefox 3.5.x’s HTML 5 video support. The libtheora flaw is an integer overflow condition initially reported by security research Dan Kaminsky.
“A video’s dimensions were being multiplied together and used in particular memory allocations,” Mozilla said in its security advisory. “When the video dimensions were sufficiently large, the multiplication could overflow a 32-bit integer, resulting in too small a memory buffer being allocated for the video. An attacker could use a specially crafted video to write data past the bounds of this buffer, causing a crash and potentially running arbitrary code on a victim’s computer.”
Memory corruption issues are often fixed in Firefox point releases and the 3.5.6 release is no exception. Mozilla released a generic advisory as part of the 3.5.6 release for what it described as “Crashes with evidence of memory corruption.” The Firefox 3.5.4 release in October, as well as the Firefox 3.5.3 release in September, also carried similar advisories for memory corruption crashes.
There is also a fix in this week’s Firefox 3.5.6 for a pair of location bar spoofing vulnerabilities that Mozilla has officially rated as carrying a moderate, rather than critical, risk.
In one potential attack scenario, the spoofed page could modify itself so that a user could be tricked into falsely thinking they are on a Web page secured by SSL . SSL-related redirection flaws in browsers is not a new thing for Mozilla, either: Earlier this year, SSL redirection insecurity was a topic highlighted at the Black Hat Las Vegas 2009 event, with Kaminsky detailing several potential vulnerabilities. Mozilla issued a fix for the specific issues raised at Black Hat in the Firefox 3.5.2 release.
This week’s Firefox 3.5.6 release follows the Firefox 3.5.5 release, which came out in November to fix stability problems.
Mozilla already has plans in the works for a Firefox 3.5.7 release for early January to fix a flaw in how Firefox users get major browser updates. Work is also continuing on the next-generation Firefox 3.6 browser, with a Release Candidate set for this week.
Firefox 3.6 is currently at its Beta 4 release milestone.
Sean Michael Kerner is a senior editor at InternetNews.com, covering Linux and open source, application development and networking.