Mozilla Patches Firefox Vulnerabilities But Neglects One

In the first update of Firefox 2.0 browser, issued on December 19, 2006, Mozilla has repaired eight security flaws. The company says that version 2.0.0.1 of Firefox does not have errors in memory corruption, among other flaws. Mozilla also resolved similar problems in the Firefox 1.5 browser and released version 1.5.0.9. This browser was last modified in November 2006 and is to de dropped from the company's support list next year.

However, the 2.0.0.1 browser does not exhibit a solution for at least one commonly known and disclosed flaw in open source browsers. A Password Manager defect was found in Firefox in November 2006, exposing users to the danger of having their login details stolen by cheating sites. The vulnerability permits a maliciously designed page to appropriate information meant for another site.

The company said that five of the eight flaws were given critical status. This implies that Firefox users browsing the Net would be prone to attack and remote software installation. Two of the flaws were given high security risk rating while one got a low rating.

Mozilla Foundation Security Advisory 2006-68 is responsible for handling flaws that lead to crashes and that hackers can exploit to hijack memory for harmful ends. A Mozilla advisory states that a number of bugs have been patched in the Firefox 2.0.0.1 and 1.5.0.9 updates to make the products more stable. Some of the flaws were crashes giving signs of memory corruption. It is surmised that at least a few of these could be used to execute arbitrary code.

Another critical flaw repaired in the Firefox update relates to a distinct crash. The advisory says that a wrongly calculated size in the process of conversion of a picture to a Windows bitmap can lead to a heap buffer overflow, which could be exploited to infect the victim's computer.

Mozilla's advisory and information on the update can be seen on the company's Web site. In the second significant update to its open-source browser, Mozilla issued Firefox 2.0 in October.

Related article: Mozilla Rules Out Bug in Its Firefox

» SPAMfighter News - 12/23/2006