Mozilla Update Quashes Slew of Firefox Flaws
Ten fixes in Firefox 220.127.116.11 improve security, addressing cross-site scripting and other vulnerabilities.
In its largest vulnerability fix since 2006, Mozilla's new Firefox 18.104.22.168 release addresses a slew of problems ranging from information leakage to cross-site scripting (XSS).
Mozilla issued 10 security advisories alongside the new Firefox release, the largest number of publicly acknowledged associated vulnerability advisories or a Firefox release since the 2.x browser first debuted.
The previous Firefox release -- version 22.214.171.124 -- only fixed a single issue.
Though the total advisory count is high, Mozilla only identified three of the ten vulnerabilities in 126.96.36.199 as being critical. The group classifies vulnerabilities as critical, high, moderate or low based on the ease of executing the exploit as well as the impact that the vulnerability has on the browser.
Among the critical items is a fix for what the Mozilla's Security Advisory 2008-01 calls "Crashes with evidence of memory corruption." The advisory provides few specifics on the crashes themselves, other than to note that they could lead to exploitation.
Privilege escalation, XSS and remote code execution are the subject of Security Advisory 2008-03. According to Mozilla, the vulnerability could allow an attacker's XMLDocument.load() function to inject an arbitrary script, which could lead to exploitation.
The last critical exploit addressed in Firefox 188.8.131.52 is a Web browsing history and forward navigation-stealing vulnerability. Mozilla's advisory explained that the way Firefox handles images after a user exits a page could have enabled an attacked to crash a browser and possibly steal a user's navigation information.
Another vulnerability addressed by the Firefox update is Security Advisory 2008-05, which fixed a flaw allowing directory traversal via chrome, the browser's rendering interface. Mozilla classified the vulnerability as a high-severity issue.
Firefox 184.108.40.206 also fixed three vulnerabilities labeled as "moderate" severity by Mozilla. They include fixes for multiple file input focus-stealing vulnerabilities, stored password corruption and file action dialog tampering.
While Mozilla developers continue to update the Firefox 2.x series for security issues and bug fixes, work continues on Firefox's next generation as well.
Firefox 3 Beta 3 is set for launch on Feb. 11, with a fourth and final Beta scheduled for Feb. 26. The previous Firefox 3 milestone, Beta 2, emerged in mid-December.
Article courtesy of InternetNews.com