21 Firefox vulnerabilities reported today

[OrangeSoul]

http://secunia.com/advisories/19631/

Description:

Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system.

1) An error exists where JavaScript can be injected into another page, which is currently loading. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) An error in the garbage collection in the JavaScript engine can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

3) A boundary error in the CSS border rendering implementation may be exploited to write past the end of an array.

4) An integer overflow in the handling of overly long regular expressions in JavaScript may be exploited to execute arbitrary JavaScript bytecode.

5) Two errors in the handling of "-moz-grid" and "-moz-grid-group" display styles may be exploited to execute arbitrary code.

6) An error in the "InstallTrigger.install()" method can be exploited to cause a memory corruption.

7) An unspecified error can be exploited to spoof the secure lock icon and the address bar by changing the location of a pop-up window in certain situations.

Successful exploitation requires that the "Entering secure site" dialog has been enabled (not enabled by default).

8) It is possible to trick users into downloading malicious files via the "Save image as..." menu option.

9) A JavaScript function created via an "eval()" call associated with a method of an XBL binding may be compiled with incorrect privileges. This can be exploited to execute arbitrary code.

10) An error where the "Object.watch()" method exposes the internal "clone parent" function object can be exploited to execute arbitrary JavaScript code with escalated privileges.

Successful exploitation allows execution of arbitrary code.

11) An error in the protection of the compilation scope of built-in privileged XBL bindings can be exploited to execute arbitrary JavaScript code with escalated privileges.

Successful exploitation allows execution of arbitrary code.

12) An unspecified error can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site via the window.controllers array.

13) An error in the processing of a certain sequence of HTML tags can be exploited to cause a memory corruption.

Successful exploitation allows execution of arbitrary code.

14) An error in the "valueOf.call()" and "valueOf.apply()" methods can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

15) Some errors in the DHTML implementation can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

16) An integer overflow error in the processing of the CSS letter-spacing property can be exploited to cause a heap-based buffer overflow.

Successful exploitation allows execution of arbitrary code.

17) An error in the handling of file upload controls can be exploited to upload arbitrary files from a user's system by e.g. dynamically changing a text input box to a file upload control.

18) An unspecified error in the "crypto.generateCRMFRequest()" method can be exploited to execute arbitrary code.

19) An error in the handling of scripts in XBL controls can be exploited to gain chrome privileges via the "Print Preview" functionality.

20) An error in a security check in the "js_ValueToFunctionObject()" method can be exploited to execute arbitrary code via "setTimeout()" and "ForEach".

21) An error in the interaction between XUL content windows and the history mechanism can be exploited to trick users into interacting with a browser user interface which is not visible.

Successful exploitation may allow execution of arbitrary code.

Solution:

Update to versions 1.0.8 or 1.5.0.2.

[Andrew Lyle Global Moderator]

Solution:

Update to versions 1.0.8 or 1.5.0.2.

heh... i was suprised to see 21! but then i noticed all you have to do is upgrade to .2 and you'll be fine :p

[chavo]

Thanks for the headsup, just upgraded. Seems to be running very well I might add.

[bennett]

lol im glad that im using .2 :D :p, might get other people to upgrade

[Denis W. Veteran]

I'm not trying to fuel any flames here, but I noticed something.

Various people commented the reason why Opera's track record is so 'clean' was that Secunia withheld information about vulnerabilities until an updated build was made available. It seems as though the same scenario replays itself here for Firefox (unless these vulnerabilities were discovered somewhere else and only made public by Secunia).

BTW, how many of those vulernabilities are 'highly critical'? There's no way each one of them are that critical - if so, this won't work that well in Mozilla's favour.

[Jelly2003]

At least Mozilla patch vulnerabilities really quickly.

I'm sure that if there are more vulnerabilities then a 1.5.0.3 patch will be released before long.

[Hum]

:huh: FF 1.5.0.2 sounds great -- but did they fix the problems that 1.5.0.1 caused ? That version kept crashing and I had to roll back to 1.5 :no:

[Orange]

LOL 21? I very doubt it's gonna cause me anytrouble and i havent had no trouble with Firefox yet.. :woot:

[+M2Ys4U Subscriber¹]

:huh: FF 1.5.0.2 sounds great -- but did they fix the problems that 1.5.0.1 caused ? That version kept crashing and I had to roll back to 1.5 :no:

Yeah they've fixed quite a few top crashers.

[Jordan M.]

firefox 21 probs

ie 10 a month

[ThePitt]

firefox 21 probs

yea, this means that FF is getting popular :p

[iwod]

Well they are all fixed in the latest version anyway. All you need is to keep yourself updated ^^

[Barney T. Administrators]

So, I guess that the lesson here is that all browsers have their share of vulnerabilities. The difference really points to who can update and fix these the fastest.............. and make them available to the general public quickly :yes:

Barney

[em_te]

They should make the new version number 1.5.1 to urge people to upgrade or else people will think that 1.5.0.1 is so minor that they'll ignore it.

[MrA]

I'm not trying to fuel any flames here, but I noticed something.

Various people commented the reason why Opera's track record is so 'clean' was that Secunia withheld information about vulnerabilities until an updated build was made available. It seems as though the same scenario replays itself here for Firefox (unless these vulnerabilities were discovered somewhere else and only made public by Secunia).

BTW, how many of those vulernabilities are 'highly critical'? There's no way each one of them are that critical - if so, this won't work that well in Mozilla's favour.

If this is the case, all blame should be squarely placed on Secunia. Mozilla publishes it's flaws http://www.mozilla.org/security/announce/ and you can see what's fixed http://www.mozilla.org/projects/security/k...rabilities.html

Oh, and quite a few of those are 'highly critical' according to mozilla. Secunia lists one a 'extremely critical' and 8 as 'highly critical'.

EDIT: Fixed links

Edited April 15, 2006 by MrA

[+M2Ys4U Subscriber¹]

^ Broken links.

Anyways, 21 reported vulnerabilityes today, 21 fixes yesterday :p

[HDW-mobile]

:huh: installed already latest version... :huh:

never had problems...

[Denis W. Veteran]

If this is the case, all blame should be squarely placed on Secunia. Mozilla publishes it's flaws http://www.mozilla.org/security/announce/ and you can see what's fixed http://www.mozilla.org/projects/security/k...rabilities.html

Oh, and quite a few of those are 'highly critical' according to mozilla. Secunia lists one a 'extremely critical' and 8 as 'highly critical'.

EDIT: Fixed links

Ah, that clarifies it.

Well, good for Mozilla for somehow making Firefox download the 1.5.0.2 update in the background - without prompting me. :shiftyninja:

on a related note, anyone happy that a certain member here was banned before something like this broke out? he would've gloated about new vulnerabilities in Firefox.

[Scorbing]

http://secunia.com/advisories/19631/

Description:

Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, bypass certain security restrictions, disclose sensitive information, and potentially compromise a user's system.

1) An error exists where JavaScript can be injected into another page, which is currently loading. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) An error in the garbage collection in the JavaScript engine can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

3) A boundary error in the CSS border rendering implementation may be exploited to write past the end of an array.

4) An integer overflow in the handling of overly long regular expressions in JavaScript may be exploited to execute arbitrary JavaScript bytecode.

5) Two errors in the handling of "-moz-grid" and "-moz-grid-group" display styles may be exploited to execute arbitrary code.

6) An error in the "InstallTrigger.install()" method can be exploited to cause a memory corruption.

7) An unspecified error can be exploited to spoof the secure lock icon and the address bar by changing the location of a pop-up window in certain situations.

Successful exploitation requires that the "Entering secure site" dialog has been enabled (not enabled by default).

8) It is possible to trick users into downloading malicious files via the "Save image as..." menu option.

9) A JavaScript function created via an "eval()" call associated with a method of an XBL binding may be compiled with incorrect privileges. This can be exploited to execute arbitrary code.

10) An error where the "Object.watch()" method exposes the internal "clone parent" function object can be exploited to execute arbitrary JavaScript code with escalated privileges.

Successful exploitation allows execution of arbitrary code.

11) An error in the protection of the compilation scope of built-in privileged XBL bindings can be exploited to execute arbitrary JavaScript code with escalated privileges.

Successful exploitation allows execution of arbitrary code.

12) An unspecified error can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site via the window.controllers array.

13) An error in the processing of a certain sequence of HTML tags can be exploited to cause a memory corruption.

Successful exploitation allows execution of arbitrary code.

14) An error in the "valueOf.call()" and "valueOf.apply()" methods can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

15) Some errors in the DHTML implementation can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

16) An integer overflow error in the processing of the CSS letter-spacing property can be exploited to cause a heap-based buffer overflow.

Successful exploitation allows execution of arbitrary code.

17) An error in the handling of file upload controls can be exploited to upload arbitrary files from a user's system by e.g. dynamically changing a text input box to a file upload control.

18) An unspecified error in the "crypto.generateCRMFRequest()" method can be exploited to execute arbitrary code.

19) An error in the handling of scripts in XBL controls can be exploited to gain chrome privileges via the "Print Preview" functionality.

20) An error in a security check in the "js_ValueToFunctionObject()" method can be exploited to execute arbitrary code via "setTimeout()" and "ForEach".

21) An error in the interaction between XUL content windows and the history mechanism can be exploited to trick users into interacting with a browser user interface which is not visible.

Successful exploitation may allow execution of arbitrary code.

Solution:

Update to versions 1.0.8 or 1.5.0.2.

Another great reason to move to Opera, the fastest, most secure browser...Period.

[theyarecomingforyou]

Anyways, 21 reported vulnerabilityes today, 21 fixes yesterday :p

It's annoying / disheartening that so many vulnerabilities have been found, though at least they're fixed quickly.

[Raven]

The title is misleading. If upgrading to the latest version fixes the problems then there are no problems. You could easily go back to version 5 of IE and say there are hundreds of problems.

[sp0rk]

I'm not trying to fuel any flames here, but I noticed something.

Various people commented the reason why Opera's track record is so 'clean' was that Secunia withheld information about vulnerabilities until an updated build was made available. It seems as though the same scenario replays itself here for Firefox (unless these vulnerabilities were discovered somewhere else and only made public by Secunia).

BTW, how many of those vulernabilities are 'highly critical'? There's no way each one of them are that critical - if so, this won't work that well in Mozilla's favour.

It's nothing new. Common courtesy among people that find exploits is generally to notify the vendor before releasing it. They usually wait until they feel a fair amount of time has passed after notifying them before releasing the exploit. Of course I don't know how Secunia gets their exploits, I'm assuming they're already out in the wild when they find them. So at that point, they're just helping to not spread them prior to them being patched.

[Slimy]

@Raven or firefox 1.0, where does IE come in here?

It's interesting how these vulnerabilities are mentioned after an updated version is released. It's been a while before .1 was released, and those vulnerabilities were there at the time too. But once again, competition is good, wonder what ms thinks about these fixes.

[+Cryton Subscriber²]

Thanks for spreading more FUD Neowin! If you'd bothered to check half those bugs, you'd see they're references to fixes that were in the 1.5 and/or 1.5.0.1 releases, and others were variations on exploits or dupes that all got fixed in one bug:

CVE-2006-0749 - Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8

CVE-2006-1731 - Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8

CVE-2006-1732 - Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x before 1.5

CVE-2006-1733 - Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8

CVE-2006-1734 - Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8

CVE-2006-1735 - Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8

CVE-2006-1736 - Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8,

CVE-2006-1737 - This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.

CVE-2006-1738 - This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.

Which leaves the following that were fixed in 1.5.0.2:

CVE-2006-1529, CVE-2006-1530, CVE-2006-1531, CVE-2006-1723 & CVE-2006-1724 all covered by http://www.mozilla.org/security/announce/2...fsa2006-20.html (DHTML crashes with evidence of memory corruption)

and CVE-2006-1725, CVE-2006-1726, CVE-2006-1727, CVE-2006-1728, CVE-2006-1729 & CVE-2006-1730

which is 7 security fixes in 1.5.0.2

Had a user been upgrading from firefox 1.0.7, then your headline "Firefox Update Contains 21 Security Fixes" would be semi-accurate. However, since 99.99% of people were going from 1.5.0.1 to 1.5.0.2, I can't help but think in this case, your "unprofessional journalism" looks decidedly worse to me.

Edited April 15, 2006 by Cryton

[Slimy]

^ If you're going to mad at anyone, you should blame secunia.