Mozilla Firefox Update Squashes Nine Security Bugs

Mozilla repaired a slew of bugs Wednesday in a comprehensive Firefox update totaling nine fixes, five of which are deemed critical.

Altogether, the latest version, Firefox 3.6.11, addresses five flaws that enable hackers to launch malicious attacks onto users' systems remotely, as well as two errors that carry the slightly less severe rating of "high" and one that is considered "moderate." The update runs across Windows, Mac OS X and Linux environments.

Specifically, the latest Firefox update repaired two memory corruption errors that could potentially be used by hackers to execute arbitrary code. One of the fixes addressed a buffer overflow and memory corruption flaw that could occur by passing an excessively long string to document.write. The other update entailed a comprehensive fix for Mozilla termed as "several miscellaneous memory safety hazards."

Firefox 3.6.11 also patched a critical library loading vulnerability. Researchers found that a library loading function used for external libraries on Windows was vulnerable to binary code attacks if an attacker were to place a similarly named executable -- a malicious shared library with the same name -- in the current working directory or any other location that Windows searches for executables. The attacker could then load their own malicious library by replacing the legitimate file.

Sponsored post

In addition, the update fixed a critical dangling pointer vulnerability in LookupGetterOr Setter, as well as a use-after-free error in nsBarProp.

Next: Mozilla Addresses Less Critical Flaws

Another fix repaired vulnerabilities designated with the slightly less severe rating of "high" included a cross-site scripting flaw in the gopher parser allowing hackers to exploit text to HTML tags by converting the text into executable JavaScript. An attacker could create a file or directory on a Gopher server with the encoded script, which would then run in a victim's browser within the site context.

Additionally, the update addressed a cross-site information disclosure glitch, also given the severity ranking of "high" as well as a SSL wildcard certificate bug ranked "moderate," and an "insecure Diffi-Hellman key exchange, given a "low" severity ranking.

Users can access the Firefox update directly from the Mozilla site.