Mozilla patches critical Firefox flaws
And it warns Firefox 2.0 users that bugs in older browser won't be fixed
Firefox 3.0.6 fixes about half the number of bugs that Mozilla quashed in December with the previous security update.
Of the seven flaws, two were rated "critical," by Mozilla, two "high," one "moderate" and two "low" in the company's four-step scoring system. Both of the critical vulnerabilities may have significant exploit potential, Mozilla said.
"Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some of these could be exploited to run arbitrary code," the company's advisory read. If so, hackers could use the bugs to crash the browser, then introduce their own malicious code into a vulnerable system, or both.
Other patches plugged a cross-site scripting hole -- a type of bug often used by identity thieves -- and another flaw that could be exploited to steal data from Web forms.
One of the seven patches was a second attempt to fix a problem first addressed in a November 2008 update. Although Mozilla rated the bug as moderate, the second-lowest in its scale, it said the vulnerability "could potentially be used by an attacker to inject arbitrary code," a description usually reserved for critical flaws. Mozilla justified the lower ranking by saying that any attack "has relatively high complexity."
Mozilla also warned users of the older Firefox 2.0 that their browser is vulnerable to some of the bugs patched in Version 3.0, although it didn't get into specifics. "If you're still using Firefox 2.0.0.x, this version is no longer supported and contains known security vulnerabilities," said Samuel Sidler, a Mozilla engineer, in a post to the mozilla.dev.planning message group Tuesday.
Firefox 2.0 was retired from support in mid-December. Since then, Mozilla has made a third and final attempt to get Firefox 2.0 users to update to the newer Firefox 3.0, and warned users that Google Inc. has shut off antiphishing protection in the former.
The new version of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site. Current users can also call up their browser's built-in updater, or wait for the automatic update notification, which should pop up in the next 48 hours.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts