Mozilla fixes Firefox's DLL load hijacking bug
Patches 15 vulnerabilities, also adds support for clickjacking defense
Computerworld - Mozilla on Tuesday patched 15 vulnerabilities in Firefox, 11 of them labeled critical.
One of yesterday's patches addressed a problem found in scores of Windows applications, making Firefox one of the first browsers to be patched against the DLL load hijacking bug that went public three weeks ago.
Nearly three-quarters of the vulnerabilities in Firefox 3.6 were rated "critical," Mozilla's highest threat ranking, representing bugs that hackers may be able to use to compromise a system running Firefox, then plant other malware on the machine. Of the remaining flaws, two were pegged as "high" and one each was judged "moderate" and "low."
Four of the vulnerabilities were reported to Mozilla by HP TippingPoint's Zero Day Initiative (ZDI), the largest commercial bug bounty program, while another was handed to Mozilla's developers by David Huang and Collin Jackson, of Carnegie Mellon University's Silicon Valley-based CyLab.
Jackson and Huang were two of the three Carnegie Mellon researchers who recently published a paper on CSS cross-origin theft, a topic that made news last week when a Google security engineer demonstrated how a Twitter account could be appropriated by hackers by targeting Microsoft's Internet Explorer.
But the most notable fix of the 15 was the one that patched Firefox's DLL load hijacking bug.
Last month, HD Moore, chief security officer at Rapid7, announced that several dozen Windows programs were flawed because they call code libraries -- dubbed "dynamic-link libraries," or "DLLs" -- using only a filename instead of a full pathname, giving hackers a way to commandeer a PC by tricking the application into loading a malicious file with the same name as the required DLL.
Other researchers later estimated that more than 200 different programs could be exploited, including Firefox and other browsers from Google, Opera and Apple.
Apple patched Safari's DLL load hijacking vulnerability on Tuesday around the same time that Mozilla released Firefox 3.6.9.
According to Mozilla, only Firefox running on Windows XP was vulnerable to DLL load hijacking attacks prior to Tuesday. "Firefox users on ... Vista [and later] were not vulnerable to this attack because dwmapi.dll legitimately exists in Vista and later versions and is successfully loaded by Firefox before attempting to load the planted DLL," the advisory read.
Mozilla credited security researcher Haifei Li of Fortinet with reporting the bug; separately, Li said he submitted the Firefox vulnerability, and those in six other vendors' products, on July 10.
Also included in the security update was support for the X-Frames-Options, a new HTTP response header that sites can use to stymie "clickjacking" attacks.
Firefox is the last major browser to add X-Frames-Options support.
Users can update to Firefox 3.6.9 by downloading the new edition or by selecting "Check for Updates" from the Help menu in the browser. Firefox 3.5 users can obtain the patched version 3.5.12 by calling up the integrated update tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- IE6: Retired but not dead yet
- Chrome users won't give up, keep pressing Google to restore old-style new tab page
- Google quashes 31 vulnerabilities, restores Metro mode 'steppers' with Chrome 34
- Firefox's UI face-lift on track for April debut
- Ex-Mozilla engineer blames Microsoft's rules for Metro Firefox's death
- Mozilla patches 20 Firefox flaws, plugs Pwn2Own holes
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts