New Firefox Fixes Holes

Officials at the open source Mozilla Foundation released an update for the Firefox browser Tuesday.

Firefox 1.0.5 is the first update to the popular alternative browser since May 11, when the organization fixed three critical bugs to the Mozilla Update Web service. Firefox 1.0.4 was rushed out the door days after two of the flaws were published by an outfit called the Greyhats Security Group.

The update addresses 12 security issues discovered in the Firefox code, as well as stability fixes to the browser. Chris Hofmann, Mozilla director of engineering, said all the security vulnerabilities, which range from low to two that are critical, have no known exploits.

In addition to Firefox, officials plan to release updates to the Thunderbird e-mail application and Mozilla suite to correct the vulnerabilities addressed in the browser. Hofmann expects Thunderbird and Mozilla updates to be released Wednesday.

As officials pointed out, all three applications use a similar code base, so what affects one may very well affect the others.

Details of the two critical bugs are being withheld until July 20, but both deal with vulnerabilities that could lead to some big headaches for Firefox users.

The first critical bug fixed is described as a ”code execution through shared function objects” flaw that would let a Web script get to a privileged object, letting it execute code with enhanced privileges like modifying or deleting files.

The other is a critical vulnerability that allows standalone applications like media players to run arbitrary code through the browser. By default, Firefox takes the content from a currently open browser window and puts it into an external window opened by the application.

If the external window is a ”javascript: url,” it will run as if it came from the the site that served the previous content.

For example, if a Firefox user is at their online bank and runs an application that opens a new Firefox window, that application could now contain the user’s sensitive information.

This article was first published on To read the full article, click here.

Jim Wagner
Jim Wagner
Jim Wagner is an eSecurity Planet contributor.

Top Products

Related articles