Tech News

Mozilla releases security updates

By Steve Ragan Feb 27, 2007, 16:02 GMT

Mozilla, the makers of the Firefox browser, have released several security fixes. These fixes come in the shape of Firefox version 2.0.0.2 and 1.5.0.10. There were fourteen fixes total. MFSA 2007-01 to MFSA 2007-08 on both the 1.5 and the 2.0 versions were patched. Three critical updates, two of which were found in both 2.0.0.1 and 1.5.0.9 were patched with the new releases. “Michal Zalewski reported a memory corruption vulnerability in Firefox 2.0.0.1 involving mixing the onUnload event handler and self-modifying document.write() calls,” Mozilla said in MFSA 2007-08. The other critical release, found in both versions of the browser, was MFSA 2007-01, which deals with various crashes with evidence of memory corruption. Another major patch, MFSA 2007-06, listed as critical on the 1.5 version and only moderate on the 2.0 version, dealt with two potential buffer overflow vulnerabilities found by researcher regenrecht in the Network Security Services (NSS) code for processing the SSLv2 protocol.There are some reports of unpatched items; one is reported to be memory corruption flaw that if a user were to visit a malicious webpage the ability to inject harmful code remotely could be exploited. Another minor flaw discovered, is one that forces Firefox to open a new window with a blank address bar and the reload button disabled. The odd thing about the reported unpatched memory corruption flaw is that it was in fact patched; Mozilla just did not know they patched it.Confirmed by Michal Zalewski, when Firefox version 2.0.0.2 went live, something strange happened. According to Zalewski, “When 2.0.0.2 went live, some devs noticed that it doesn't crash with my test case, though it still crashes trunk builds. After a brief moment of confusion, they determined that a fix for an unrelated, obscure non-security bug 364692 had altered the behavior this vulnerability depended on, accidentally rendering 2.0.0.2 not vulnerable to the attack. This was then fixed on trunk, and voila. I can't really comment on whether this fixes the problem once and for all, because I haven't really examined the changes implemented for 364692, but yeah, my example no longer crashes the browser for me.”Firefox 2.0.0.2 and 1.5.0.10 can be downloaded from the Firefox website or via auto update. Firefox is almost at its end of life for those who have not updated. It is said to complete its development cycle on April 24, 2007.

On the Web

Blowing Up Blogs

Place your ad here
Loading...

Your Talkback on this Story

Latest Headlines in Tech

Older Talkback

Like M&C on Facebook

Custom Search

Viral Web

In Monsters and Critics

: Arts; Books; DVD; Gaming; Lifestyle; Movies; Music; News; People; Science & Nature; Sport; TV; Archives
Other Languages and Sites: Deutschland (Monsters and Critics); The Tech Herald; Free Games Herald; XPRNC; Deutschland (Der Technikbote); Deutschland (Bellalu)

Entertainment: Arts; Books; DVD; Gaming; Movies; Music; People; Soundtracks; TV
Media: Celebrity Photos; Movie Pictures; Movie Trailers; Movie Posters; Theatre Stills
Released this week: Movies - USA; Movies - UK; DVD - USA
Distractions: Online Games; Daily Crossword; Sudoku Classic; Daily Jigsaw

World News: US; UK; Americas; Europe; Middle East; Asia Pacific; South Asia; Africa; Business; Education; Health
Science and Tech: Science and Nature; Technology
Lifestyle: Autos; Fashion; Life; Travel

Corporate

: About; Advertise; Contact; The Team; Vacancies; Privacy; RSS; Site Map; Terms; Webmasters

The Fine Print

© 2003 - 2012 by Monsters and Critics.com, WotR Ltd. All Rights Reserved. All photos are copyright their respective owners and are used under license or with permission. * Note M&C cannot be held responsible for the content on other Web Sites.

Servers supplied by Servint