| Mozilla patches critical security flaws |
Dec. 20, 2006
  Mozilla Corp. today released a version 2.0.0.1 update for its Firefox browser and version 1.5.0.9 for its Thunderbird email client, for Linux, Mac OS X, and Windows machines. For those still using Firefox 1.5.x, version 1.5.0.9 includes the same security fixes.
The version 2.0.0.1/1.5.0.9 updates fix a number of critical security issues, a Mozilla spokesperson said, including:- XSS using outer window's Function object
- RSS Feed-preview referrer leak
- Mozilla SVG Processing Remote Code Execution
- XSS by setting img.src to javascript: URI
- LiveConnect crash finalizing JS objects
- Privilege escalation using watch point
- CSS cursor image buffer overflow (Windows only)
- Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)
Five of the vulnerabilities were listed as "critical" by Mozilla, with two described as "high" priority.
A "critical" vulnerability is defined as one that "can be used to run attacker code and install software, requiring no user interaction beyond normal browsing." A "high" vulnerability is one that "can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions," the company said.
The company is in the process of notifying Firefox users through automatic updates. Uses who have not authorized automatic updates can download either of the new versions here. Thunderbird, which is now at version 1.5.0.9, can be downloaded immediately here.
Related Stories:
(Click here for further information)
|
|
|
|
|
|
|
|
