Mozilla fixes multiple Firefox flaws

Digital miscreants could exploit flaws in Mozilla's popular Firefox browser to bypass security programs, access sensitive information and conduct cross-site scripting attacks.

Mozilla has released a hefty security update , fixing several flaws digital miscreants could exploit in Firefox, SeaMonkey and Thunderbird to bypass security programs, access sensitive information and launch cross-site scripting attacks.

Ultimately, the attacker could take complete control of the targeted machine. Mozilla urged users to upgrade to Firefox versions 1.5.0.9 or 2.0.0.1. The latter version is for those who recently upgraded to Firefox 2.0.

Mozilla Firefox:
Firefox antiphishing feature beats Internet Explorer in Mozilla test

Firefox, IE flaw could expose passwords

Firefox fans unfazed by IE 7

Security Blog Log: Dissecting Firefox 2.0

What if Firefox were the target?

According to the Mozilla bulletins, the vulnerabilities are:

  • Several errors in the layout and JavaScript engine attackers could exploit to corrupt system memory and launch malicious code.
  • An error that occurs when the CPU's floating point precision is reduced. This could happen on Windows machines when the user loads a plug-in creating a Direct3D device. Doing so could prevent the "js_dtoa()" function from exiting, leading to memory corruption.
  • A Windows bitmap boundary error attackers could exploit to cause a heap-based buffer overflow.
  • An error in the "watch()" JavaScript function attackers could exploit to launch malicious code.
  • An error in LiveConnect that causes an already freed object to be used. Attackers could exploit this to launch malicious code.
  • An error in how the "src" attribute of IMG elements are loaded into a frame. Attackers could exploit this to change the attribute to a "javascript:" URI. They could then launch malicious HTML and script code in a user's browser session.
  • An error in how SVG comment objects are handled. Attackers could exploit this to corrupt system memory and launch malicious code.
  • A condition in which the "Feed Preview" feature of Firefox 2.0 may leak feed-browsing habits to Web sites when retrieving the icons of installed Web-based feed viewers.
  • A function prototype regression in Firefox 2.0 attackers could exploit to launch malicious HTML and script code in a user's browser session.

Read more on Operating systems software