Firefox Fixes Three Security Flaws, Though More Remain - InformationWeek
IoT
IoT
News
News
11/27/2007
02:54 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Firefox Fixes Three Security Flaws, Though More Remain

The vulnerabilities could be used to gather sensitive data from sites in other windows or inject data or code into those sites, Mozilla said.

Mozilla has released Firefox 2.0.0.10, an update that address three security flaws.

The update issued Monday fixes a Java Archive handling vulnerability found in February that allows an attacker to hide exploit code in a Java Archive (.jar) file. It also fixes a memory corruption bug and a flaw that allowed an attacker to generate a fake HTTP Referer header for conducting a Cross-site Request Forgery (CSRF) attack.

Each of the three vulnerabilities is rated "high" by Mozilla, meaning the flaws could be used "to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions."

The Mozilla Community called for help testing the update last week and said improved code would be released this week. Firefox 3 Beta 1 was released last week as a developer preview.

Not fixed in Firefox 2.0.0.10 is a QuickTime flaw reported last week that affects both Mac and Windows users.

"An attacker can lure a victim to load a Web page with an embedded media object or a file in an e-mail, triggering a bounds checking error in QuickTime that may allow execution of arbitrary code," the Mozilla Security Blog explains. "This issue impacts QuickTime on Windows and on Mac OS and there is proof-of-concept code publicly available. If QuickTime is set as the default media player, Firefox will send the request directly to QuickTime. Mozilla is currently investigating this issue to identify ways to protect Firefox users."

In a report released today, the SANS Institute listed Web browser vulnerabilities among other top security issues in 2007. The SANS list cites 14 security vulnerabilities in Firefox in 2007 and 21 in Internet Explorer.

"The browser is really the main gateway today for malware," said Johannes Ullrich, CTO of the SANS Internet Storm Center, on a Tuesday morning conference call.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
2017 State of IT Report
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll