Mozilla Firefox and Google Chrome Updated for Security Flaws


It's a big week for browser updates, as both Mozilla and Google are updating their respective Web browsers for multiple security flaws.

The Mozilla Firefox 3.6.11 update addresses at least nine security flaws, five of which are rated as being critical by Mozilla. Among the critical flaws are memory safety hazard issues, as well as a memory corruption issue that could potentially enable an attacker to run arbitrary code.

Additionally there is a critical fix for a use-after-free memory error, which could enable attackers to make un-authorized use of allocated memory.

"Security researcher Sergey Glazunov reported that it was possible to access the 'locationbar' property of a window object after it had been closed," Mozilla's security advisory states. "Since the closed window's memory could have been subsequently reused by the system, it was possible that an attempt to access the 'locationbar' property could result in the execution of attacker-controlled memory."

Mozilla also credits HP TippingPoint's Zero Day Initiative with the discovery of a JavaScript dangling pointer vulnerability, which could also lead to an attacker taking control of user memory.

"When 'window.__lookupGetter' is called with no arguments, the code assumes the top JavaScript stack value is a property name," Mozilla's advisory states. "Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine, which calls through the dangling pointer, potentially executing attacker-controlled memory."

Firefox 3.6.11 also provides fixes for a number of interesting vulnerabilities, including one related to how Firefox handles the nearly extinct Gopher server system. The Gopher vulnerability could have led to a Cross Site Scripting (XSS) attack.

There is also a fix for an SSL wildcard flaw that Mozilla notes is unlikely to ever occur, since a certificate authority isn't likely to grant the wildcard certificate. Firefox Logo.jpg

"Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard, followed by a partial IP address, a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address," Mozilla stated in its advisory.

The issue of SSL wildcards was a topic that was first raised at the Black Hat 2009 security conference. Famed security researcher Dan Kaminsky reported that the major browser vendors all had SSL wildcard flaws that could potentially be exploited. Mozilla patched the specific flaws highlighted by Kaminsky in August of 2009 with the Firefox 3.5.2 release.

Chrome 7

Google is also joining the Web browser update parade this week with the release of Chrome 7.0.517.41 for its stable channel. The release marks the first stable Chrome 7.x release for Google, after having been in its development channel for the last three months.

With Chrome 7.0.517.41, Google is providing at least 11 security fixes, five of which are labeled as having high impact and one listed as critical. The critical flaw is a browser crash issue related to the form autofill capability.

As was the case with Firefox, memory corruption issues are part of the Chrome fix list. Google has credited researcher Simon Schaak with reporting memory corruption issues with animated GIF images in Chrome.

Chrome 7.0.517.41 also provides a high impact fix for a possible URL spoofing issue that could have occurred when the page is unloaded.

Though not technically labeled as a security fix, Chrome 7.0.517.41 improves user security with new cookie settings.

"If you choose to block sites from setting any data in your browser’s content settings for cookies, you can now use a new dialog for managing blocked cookies in bulk," Jeff Chang, Google product manager, wrote in a blog post.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Follow eSecurityPlanet on Twitter @eSecurityP.