Mozilla Firefox 3.6.9 Security Updates Follow Microsoft's Lead


Mozilla is improving the security of its open source Firefox Web browser this week with the help of a feature that originally debuted last year in Microsoft's rival Internet Explorer browser.

The new Firefox 3.6.9 release also provides fixes for 10 vulnerabilities that Mozilla described as "critical" -- the highest threat level on its security-rating scale. Those vulnerabilities include a DLL-loading vulnerability in Windows for which Microsoft released its own fix last week.

At the very least, the new Firefox update thus signals Mozilla's willingness to take a page out of the playbook of its chief competitor. As a way to help mitigate clickjacking attacks, Firefox 3.6.9 includes the X-FRAME-OPTIONS response header, which first appeared in the Microsoft IE8 Release Candidate 1 back in January 2009.

Clickjacking is an attack vector whereby an attacker hides a button underneath another button, tricking a user into clicking and giving up their credentials or other information. With the X-FRAME-OPTIONS header, though, a website can specify components that cannot be framed and included on other sites, potentially limiting the risk of clickjacking.

"The canonical documentation for X-Frame-Options is still Eric Lawrence's blog post," Brandon Sterne, Mozilla's Web security engineer, said in a email to, referring to Microsoft Program Manager Eric Lawrence, who first publicly described in detail the use of X-FRAME-OPTIONS in IE8. "We connected briefly with Microsoft about a couple of details. However, it is not a heavily specified feature. It was mostly a matter of following existing implementations."

Firefox 4 on the Horizon

The new Firefox release comes as Mozilla developers continue to push forward on their next-generation Firefox 4 Web browser, which will also introduce a host of security improvements.

Sterne did not elaborate on why Mozilla decided to implement X-FRAME-OPTIONS as part of Firefox 3.6.9 as opposed to waiting for the Firefox 4 release, which is already expected to include security enhancements that could further reduce the risks of clickjacking.

In August, Stern explained to that Firefox 4 will include Content Security Policy (CSP). With CSP, websites will be able to help prevent cross-site scripting (XSS) by having a policy that defines which content may be run on a site.

Locking down critical Firefox vulnerabilities

In addition to the new X-FRAME-OPTIONS header included in Firefox 3.6.9, the latest Mozilla update also provides a fix for the Windows DLL (dynamic link libraries) vulnerability that security experts warn could potentially impact a large number of Windows applications.

The DLL security flaw was first publicly exposed in August, though Microsoft (NASDAQ: MSFT) may have known about the issue for a year. The company has since taken steps to limit the threat posed by rogue DLLs, but it still urged app developers to make changes in their programs to fully block the vulnerability.

In response, Mozilla moved to fill in the potential security hole with Firefox 3.6.9.

"Firefox attempts to load dwmapi.dll upon startup as part of its platform detection, so on systems that don't have this library, such as Windows XP, Firefox will subsequently attempt to load the library from the current working directory," Mozilla wrote in its security advisory. "An attacker could use this vulnerability to trick a user into downloading an HTML file and a malicious copy of dwmapi.dll into the same directory on their computer and opening the HTML file with Firefox, thus causing the malicious code to be executed."

Other critical flaws patched by Mozilla in the Firefox 3.6.9 update include fixes for memory safety hazards, a frameset integer overflow issue, a dangling pointer vulnerability and a heap buffer overflow issue.

An XSS vulnerability also gets fixed in the update, ending a threat that Mozilla had rated as having "moderate" impact. The XSS flaw could have been triggered by simply copying and pasting content, Mozilla said.

"Security researcher Paul Stone reported that when an HTML selection containing JavaScript is copy-and-pasted or dropped onto a document with designMode enabled, the JavaScript will be executed within the context of the site where the code was dropped," Mozilla noted in its advisory. "A malicious site could leverage this issue in an XSS attack by persuading a user into taking such an action and, in the process, running malicious JavaScript within the context of another site."

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Follow eSecurityPlanet on Twitter @eSecurityP.