Firefox gets security tune-up

By

Mozilla has issued a pair of updates for its Firefox web browser.


The open-source group posted fixes for both Firefox 2 and 3, addressing critical vulnerabilities in both versions of the browser along with compatibility and stability fixes.

Firefox 3 received three fixes, each addressing flaws rated as 'critical' by Mozilla. Each flaw could be targeted by an attacker to perform remote code execution attacks on the user's system.

The first of the patches only affects MacOS X users. The vulnerability could allow for an attack launched from a malformed GIF file. The specially-crafted image could be used to cause an application crash which would then leave the system vulnerable to remote code execution.

The second flaw addresses an issue related to the handling of uniform resource identifier (URI) code, which allows external applications to access the browser.

Researcher Billy Rios found that adding certain symbols to a URI could allow an attacker to bypass Firefox's security measures and launch further attacks on the browser, such as the Safari 'carpet bomb' attacks reported last month.

The third vulnerability addresses the way Firefox handles cascading style sheet (CSS) code. An attacker could use a specially-crafted CSS object to cause an application crash which would then allow remote code execution.

Firefox 2 also received updates. The older version of the browser was also found to be vulnerable to the CSS and URI attacks, though a patch for the OS X GIF vulnerability was not deemed necessary.

Users can download both of the updates from Mozilla, though both the US Computer Emergency Response Team (US-CERT) and security group Sans recommend that Firefox 2 users consider upgrading to the new version of the browser, as support for Firefox 2 is set to end later this year.
Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?