Firefox joins security patch day treadmill

Firefox joins security patch day treadmillMozilla is joining Microsoft and Opera on the browser patching treadmill.

The open-source group has rolled out the final security fix for the Firefox 2 branch and a new version of Firefox 3 to plug about a dozen security holes that could lead to remote code execution attacks, browser crashes and information disclosure issues.

[ SEE: ‘End of life’ beckons for Firefox 2 ]

In all, Mozilla released eight different bulletins with details on the security flaws. Three of the bulletins carry a “critical” label, meaning they can be exploited “to run attacker code and install software, requiring no user interaction beyond normal browsing.”

One of the bulletins carry a “high severity” rating, meaning it can be used by hackers “to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.”

[ SEE: ‘Extremely severe’ vulnerabilities in Opera browser ]

The details:

  • MFSA 2008-69 XSS vulnerabilities in SessionStore
  • MFSA 2008-68 XSS and JavaScript privilege escalation
  • MFSA 2008-67 Escaped null characters ignored by CSS parser
  • MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
  • MFSA 2008-65 Cross-domain data theft via script redirect error message
  • MFSA 2008-64 XMLHttpRequest 302 response disclosure
  • MFSA 2008-63 User tracking via XUL persist attribute
  • MFSA 2008-60 Crashes with evidence of memory corruption (rv:

Some of the bugs only affect Firefox 3 so it is important for all Firefox users to apply the update that’s released via the browser’s automatic patching mechanism.

As I previously reported, Mozilla is not planning any more security and stability updates for Firefox 2. If you are still on the old version, also note that the Google-powered anti-phishing protection will no longer be available for Firefox 2 users.

ALSO SEE: As attacks escalate, MS readies emergency IE patch

* Image source: _sarchi’s Flicker photostream (Creative Commons 2.0)

[Source: zdnet]