Critical Security Patches to Mozilla Firefox


« Urgent Adobe Acrobat & Flash Security Advisory | Main | Twitter Used to Control Botnets »

08/04/2009



Critical Security Patches to Mozilla Firefox

Kevin R. Smith
Co-Editor


On the heels of an announcement a couple of days ago from Adobe about security flaws in Acrobat, Reader, and Flash, Mozilla just released versions 3.5.2 and 3.0.13 of Firefox to patch two security flaws they're calling "critical".

From the Mozilla Foundation's security announcement,

"We strongly recommend that all Firefox users upgrade to this latest release....

"This update can be applied manually by selecting 'Check for Updates...' from the Help menu."

3.0 and 3.5 releases of Firefox have different vulnerabilities being patched with their respective releases, but each of them are definitely well worth taking the time to patch your browser to fix.

Here's a brief recap of the fixes (for complete details visit the following URLs):

Firefox 3.5.2 Release Notes
Firefox 3.0.13 Release Notes



Firefox 3.0.13 Fixes
Mozilla Advisory # Fix Details Why It Matters
2009-42 "These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions." A subtle flaw in the way HTTPS (i.e. SSL sites) have their security certificates handled in Firefox means an attacker could lead you to believe you're on a secure site, like your bank, when in fact, you're at their evil site--even if it looks perfectly legitimate.
2009-43 "This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client." An attacker can craft a security certificate that will cause Firefox to run any code of their choosing on your computer.



Firefox 3.5.2 Fixes
Mozilla Advisory # Fix Details Why It Matters
2009-45 "Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." Memory corruption is never a good thing. In the case of software like Firefox, it can mean an attacker running code of their choosing on your PC.
2009-46 "Mozilla security researcher moz_bug_r_a4 demonstrated that the broken functionality was due to the window's global object receiving an incorrect security wrapper and that this issue could be used to execute arbitrary JavaScript with chrome privileges." Similar story here: with enough care, an attacker could write code, Javascript in this case, to run code of their choosing on your computer.



While we've not tested these various vulnerability and whether or not antivirus software could help insulate your PC from these various attacks, that's one of the things we rely on antivirus software for: protect our computers against unknown security issues.

A few things are definitely clear from this announcement:

  1. The bad guys aren't going to stop trying.
  2. Even good software like Firefox has bugs.
  3. If you think just because you're running Firefox, you're immune from such exploits, think again.
  4. While antivirus software may not help protect against every possible threat, it definitely helps minimize the risks.

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a0133f40d81f4970b013487649127970c

Listed below are links to weblogs that reference Critical Security Patches to Mozilla Firefox :

Comments

You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.