Mozilla security

Mozilla update repairs Firefox buffer overflow vulnerabilities

Repairs fix several critical memory corruption errors and buffer overflow flaws that could cause the browser to crash and leave users vulnerable to attack.

Mozilla issued an update to its popular Firefox browser this week, repairing more than a dozen flaws that could cause the browser to operate erratically and crash or allow remote attackers to target vulnerable users.

The browser maker issued 10 advisories on Tuesday, five critical, fixing memory corruption errors, buffer overflow flaws and an object handling flaw that could enable an attacker to execute malicious code and gain access to sensitive data. Firefox 3.5.4 and 3.0.15 plug 16 holes were addressed in a variety of browser functions.

Mozilla repaired four critical memory corruption errors affecting the browser engine and the JavaScript engine. In its advisory, Mozilla said some of the errors could be targeted by attackers to execute arbitrary code.

The browser maker also updated several third-party libraries used to render media. The corrupted libraries were used by the browser to read Ogg Vorbis encoded media files.

“Some of the bugs discovered could potentially be used by an attacker to crash a victim’s browser and execute arbitrary code on their computer,” Mozilla said.

Other serious flaws were repaired. The Mozilla update fixed a heap-based buffer overflow in Mozilla’s string to floating point number conversion routines; A flaw that could enable an attacker to execute malicious JavaScript code with chrome privileges; and an error in Mozilla’s GIF image parser.

Last month, Mozilla released a new feature it said would help get users to update third-party plugins. The changes came in the release of Firefox 3.5.3 and Firefox 3.0.14.

Mozilla pushes out update, provides security suite add-ons

Browser maker provides package of add-ons for security focused Firefox users.

Mozilla pushed out a Firefox security update Friday, repairing nearly a dozen flaws that could enable an attacker to crash the browser or take complete control of a computer.

Firefox 3.0.14 and 3.5.3 fixes several critical vulnerabilities including a dangling pointer flaw reported via TippingPoint’s Zero Day Initiative that could allow an attacker to run malicious code on a victim’s computer. In addition a critical error in FeedWriter could be used by an attacker to run JavaScript code from Web content with elevated privileges, Mozilla said.

In addition Mozilla fixed nine memory corruption errors with the release of Firefox 3.0.14 and 3.5.3. The vulnerabilities resulted in crashes to the browser engine or the JavaScript engine.

Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

New security add-ons package

Mozilla is offering end users what it calls a Full Security Suite. What it has done is collected four security-oriented add-on tools that users can use to protect themselves from Web-based attacks.

• NoScript helps stop a click jacking attack by preventing unauthorized code from running within the browser.
• Better Privacy helps users concerned about their privacy to stop companies from tracking them using a new Flash-based cookie called a Local Shared Object (LSO).
• AddBlock does what the name implies. It blocks those annoying add banners.
• WOT or Web of Trust assigns color coding to more than 20 million websites based on the threat they pose. It can warn if you suddenly browse to a high risk site and even block inappropriate content for children.

The package is a nice start to highlight the tools, which have been available to end users for quite some time. The tools each come with their own unique set of issues. NoScript for example may block some website features and need tweaking from time to time. AddBlock could also pose that problem.

Mozilla helps Adobe push out faster patches

Mozilla is coming to the aid of third-party vendors whose components are used in its popular browser.

Mozilla is releasing a new feature in Firefox that will warn users of the popular browser that their Adobe Flash plug-in is out of date.

The changes will come to the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14.

Mozilla’s Human Shield, Johnathan Nightingale, announced the new feature in a blog entry last week:

Our intent is to get the user’s attention, and direct them to the Adobe website where they can download the most up to date version. For users who are already running the latest version, or who don’t have the Adobe Flash Player installed, the page will look very much like what they would normally see after a Firefox security update.

Nightingale said Mozilla hopes to provide similar checks for other third-party plug-ins in the future.

Adobe has been under fire of late for its patching processes. The software maker has had a slew of updates over the last year as attackers targeted holes in its popular PDF reading software and its Flash player in drive-by attacks.

Last month, Mickey Boodaei, the CEO of security vendor Trusteer criticized Adobe after a review of more than 2 million Trusteer users found that nearly 80% of Flash users were using a flawed version of the browser component two weeks after Adobe pushed out the patch.

By default, Adobe set its Flash component to check for a new version every 30 days, resulting in a patching delay when a security update is issued. Adobe has an extremely large install base so setting the update check for every day or every week could overburden its servers and cause even more problems.