Mozilla has updated its Firefox browser to close seven different
security holes, capping off a busy week for IT administrators
who've had to deal with
Microsoft's monthly patch release and security fixes for
Apple QuickTime and Adobe Flash Player.
Mozilla released Firefox 1.5.0.7 to
address flaws that could expose systems to man-in-the-middle,
spoofing and cross-site scripting attacks.
Danish vulnerability clearinghouse Secunia described the flaws
its advisory:
- The first problem is in how Firefox handles JavaScript regular
expressions containing a minimal quantifier. Attackers could
exploit the flaw to cause a heap-based buffer overflow and launch
malicious code.
- The second problem is that users might accept an unverifiable
self-signed certificate when visiting a Web site, which could allow
an attacker to redirect the update check to a malicious Web site in
a man-in-the-middle attack.
- The third problem are time-dependent errors that surface during
text display that could be exploited to corrupt memory and launch
malicious code.
- The fourth problem exists within the verification of certain
signatures in the bundled Network Security Services (NSS)
library.
- The fifth problem is an error in cross-domain handling that
could be exploited to inject arbitrary HTML and script code in a
sub-frame of another Web site via a
"[window].frames[index].document.open()" call.
- The sixth problem is an error that appears in certain
situations when blocked popups are opened incorrectly from the
status bar via the "blocked popups" function. This could be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an arbitrary Web site.
- The seventh problem involves some unspecified memory corruption
errors that could be exploited to launch malicious code.