Firefox Update Fixes Critical JavaScript Flaws
The latest version, Firefox 3.0.1.1, addresses several critical JavaScript vulnerabilities that enable attackers to launch malicious code and install unwanted software designed to steal information and record keystrokes, with no user interaction beyond normal Web browsing. Subsequently, users are advised to disable Java as a workaround until they install the updated version of Firefox. The update also addresses errors fixed in Mozilla's Thunderbird 2.0.0.22 and SeaMonkey 1.1.17
Among the four critical errors repaired by the Firefox update was a JavaScript chrome privilege escalation vulnerability, which enabled attackers to launch malicious code to take control of a user's computer. An attack could occur via a chrome privilege object, such as the browser sidebar or the FeedWriter, that could interact with the Web content to allow remote code execution.
Meanwhile, the latest version of Firefox also fixed several critical memory errors, one of which leaves users susceptible to an attack if they navigated away from a Web page during a Java applet load, resulting in a free memory read. If exploited, the attacker could access the freed memory before it was reused in order to run malicious code on the victim's computer.
The update also fixed a slew of stability bugs in the Firefox browser engine, as well as other Mozilla products, that could lead to crashes and arbitrary code execution if left unpatched.
A fix was made to another flaw that could allow hackers to launch an attack exploiting an SSL glitch occurring in the way a connect request is sent to a proxy server and a non-200 response is returned. An attacker could potentially intercept a connect request and reply with a non-200 response containing malicious code that could be executed while the user was making an SSL request. The flaw allows remote code execution but was given the less severe ranking of "high" due to the fact that a successful attack would require the victim to have a proxy configuration.
Additionally, the update addresses one moderate error that allows users to access other local files once a newly loaded document is opened. Two low-priority vulnerabilities also were patched, including a content loading error and a glitch that allowed URL spoofing with invalid Unicode characters.
The latest Firefox, version 3.0.1.1, is automatically updated to Firefox users and requires a browser restart.