Mozilla released an update Thursday that corrects several vulnerabilities in the Firefox Web browser.
Firefox 220.127.116.11 patches critical flaws that could result in Web browsing history and forward navigation stealing; privilege escalation that could allow cross-site scripting exploits; and crashes with evidence of memory corruption.
The Firefox updates round out a busy week of critical patches — Adobe Reader, QuickTime and Skype also reported bugs, said Mike Haro, a senior security analyst at Sophos.
“A few of these Firefox bugs are viewed as critical, namely due to privacy concerns. One in particular deals with Firefox’s convenient session restore feature and how that functionality can be used by an unauthorized user to access certain sensitive information,” he told LinuxInsider.
Firefox still trails significantly behind Microsoft’s Internet Explorer in number of users, making it less of a target for cyber-criminals who use flaws in browser code to misappropriate a user’s personal information. That, however, does not mean that consumers and businesses running Firefox can forego installing the update.
“If you want to use Firefox or (Apple’s) Safari, they aren’t going to be targeted as often as Internet Explorer. But they are not impervious to attack and are not the most secure applications in the world,” said Chris Rodriguez, a Frost & Sullivan analyst.
The four less severe vulnerabilities — MFSA 2008-11, MFSA 2008-10, MFSA 2008-09 and MFSA 2008-08 — would play a supporting role in an attack, he told LinuxInsider.
“For example, one would help in a phishing-style attack. One, 2008-09, is just an annoyance. After you save a file it asks if you want to save it again. That’s more of an annoyance than anything else, but you can imagine how this could be combined to make a successful attack and get you to save another program. They have to be used in conjunction [with malware] to pull off a successful attack,” Rodriguez explained.
Of the three most severe vulnerabilities — MFSA 2008-01, MFSA 2008-03 and MFSA 2008-06 — Rodriguez said 2008-06 was the most worrisome. It could be used to “steal a user’s navigation history, forward navigation information and crash the user’s browser,” according to Mozilla. In addition, Mozilla reported that the crash “showed evidence of memory corruption and might be exploitable to run arbitrary code.”
Rodriguez called those the worst. “2008-06 allows them to steal info, crash the browser, and the worst effect that it has is they can run arbitrary code on the machine,” he pointed out. “01 allows them to run arbitrary code and would work for a standalone attack.”
A hacker would combine 2008-01 and 2008-08, Rodriguez pointed out.
“08 is an interesting one. It’s rated moderate, and you might think of it by itself as just an annoyance. But it would allow a hacker to pop up something right before you click. Imagine you want to click ‘no,’ but it pops up right before you click and it says ‘yes I want to download this executable.’ On its own it would be a moderate risk. But in conjunction with 2008-01, that would help the hacker to get you to upload the executable files they want you to and run arbitrary code.”
The traversal, however, was possible only when the browser had installed add-ons that used flat packaging rather than the more popular .jar packaging. The attacker would need to target that specific add-on, the software maker continued.
Another Mozilla researcher, moz-bug-r-a4, also reported that the bug could be used to steal the contents of the browser’s sessionstore.js file. That file contains session cookie data and information about currently open Web pages.
While there is little danger that the bugs could be widely exploited by criminals, the open source browser does come under attack, Haro noted.
“But in relation to the volume of attacks aimed at Windows, they are a drop in the ocean. Mozilla should be applauded for its responsiveness to known issues,” he concluded.