Mozilla Firefox seals up multiple flaws

By

Mozilla has fixed eight vulnerabilities in Firefox that could lead to cross-site scripting attacks and the execution of arbitrary code.

Mozilla Firefox seals up multiple flaws
The open-source browser asked users running Firefox 2.0 to upgrade to version 2.0.0.1 or 1.5.0.9 if they are still using Firefox 1.5. In addition, Thunderbird e-mail client users are urged to upgrade to version 1.5.0.9 and version 1.0.7 for those running SeaMonkey, an internet suite.

Mozilla ranked the threat level of five of the flaws "critical," two "high" and one "low." Vulnerability tracking firm Secunia ranked the package of vulnerabilities "highly critical."

Window Snyder, Mozilla's security chief, told SCMagazine.com that discovering holes in Firefox offerings should not be viewed as a negative.

"It's definitely a good thing for us to identify bugs, and when we're fixing more bugs, the product is more secure," she said.

Researchers noted that Mozilla failed to fix a password manager vulnerability in Firefox. The bug, reported Nov. 21 by Chapin Information Services, exposes saved usernames and passwords to attackers through a vulnerability being called a "reverse cross-site request."

"The flaw could affect anyone visiting a weblog or forum website that allows user-contributed HTML codes to be added," according to Chapin.

Snyder said Mozilla is planning to plug the hole in its next version release, scheduled to appear in six to eight weeks.

"We want to make sure we're addressing it the right way," she said. "The way we want to fix it requires more of an investment."

The issue has been fixed in MySpace, where it was first reported, Snyder said.
Got a news tip for our journalists? Share it with us anonymously here.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Log In

  |  Forgot your password?