Mozilla urges upgrades for product flaws

By

Mozilla is reporting three vulnerabilities affecting its products - the most severe being a JavaScript flaw that could allow for the remote execution of code - US-CERT (the U.S. Computer Emergency Readiness Team) said today in an alert.

Mozilla urges upgrades for product flaws
The bugs are corrected in Firefox 1.5.0.8, Thunderbird 1.5.0.8 and SeaMonkey 1.0.6, but browser users are encouraged to upgrade to Firefox 2.0.

The riskiest vulnerability - affecting Mozilla's web browser Firefox, email client Thunderbird and internet suite SeaMonkey - can be exploited by a malicious user modifying a Script object, which could allow for the remote execution of arbitrary JavaScript code, according to a Mozilla advisory issued Tuesday.

The second flaw could allow for the forging of RSA digital signatures, according to Mozilla.

"Forging an RSA signature may allow an attacker to craft a TLS/SSL or email certificate that will not be detected as invalid," the US-CERT alert said. "This may allow that attacker to impersonate a website or email system that relies on certificates for authentication."

The third vulnerability is related to memory corruption and could lead to a system crash.

News of the bugs comes two weeks after Mozilla released its latest browser version, Firefox 2.0.

Like Microsoft's Internet Explorer 7, also released last month, Firefox 2.0's most significant security feature is new anti-phishing technology, Window Snyder, Mozilla's recently hired security chief, has told SCMagazine.com. 

A less visible security feature rests in the browser's use of "sandboxing," which prevents untrusted - possibly malicious - code from interacting outside the context of a specific webpage, Snyder said.

Click here to email Dan Kaplan
Got a news tip for our journalists? Share it with us anonymously here.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Log In

  |  Forgot your password?