Mozilla Fixes Critical Flaws In Updated Firefox 3
Mozilla's latest Firefox upgrade 3.0.6 includes repairs of one critical vulnerability that could open the door for hackers to launch an attack remotely, as well as two errors considered high-risk that could enable attackers to infiltrate a user's computer.
Mozilla's one critical fix addressed several identified stability glitches, used in the Firefox browser and other Mozilla products. Several of the bugs showed evidence of memory corruption which could be exploited to run arbitrary code, Mozilla researchers said in a posting. As a workaround, Mozilla researchers recommended that users disable JavaScript function until the latest version of the browser can be installed.
In addition, Mozilla repaired two high-severity bugs, one of which could allow an attacker to infiltrate and steal the contents of a user's local file. The other high-severity patch fixed an error that would enable hackers to execute malicious JavaScript within the context of another Web site.
Mozilla fixed a moderate severity error that allows attackers to load a privileged chrome document by enticing users to download two documents -- a malicious HTML file and a desktop shortcut file. The attackers could then inject malicious code into the chrome document and execute with chrome privileges. While the vulnerability could leave users open to arbitrary code execution, the error was given a moderate rating due to the relative complexity of the attack, Mozilla researchers said.
Other Firefox security updates included a fix for a glitch that ignored HTTP directives not to cache Web pages, potentially allowing other users working on a shared system to view improperly cached pages containing private data and exposing sensitive information if they navigated the browser back.
In addition, Firefox version 3.0.6 addressed an error that bypasses the security mechanism designed to restrict JavaScript access to cookies marked HTTPOnly.