RealTime IT News

Firefox Fixes IE Flaws

Mozilla has updated its flagship Firefox browser to version 2.0.0.5 with at least nine security issues fixed.

Among them is one for an issue that was trigged when user also had Microsoft's Internet Explorer installed as well. Remote code execution by launching Firefox from Internet Explorer is addressed by Mozilla Security Advisory 2007-23.

The flaw was first reported on July 10. It involves the "firefoxurl://" uniform resource identifier (URI) handler, which enables Firefox to call on other Web resources.

Though Mozilla has fixed the flaw in Firefox 2.0.0.5, Mozilla's advisory noted that other Windows applications can be called in a similar way and also manipulated to execute malicious code.

"This fix only prevents Firefox and Thunderbird from accepting bad data," Mozilla stated in its advisory. "This patch does not fix the vulnerability in Internet Explorer."

Other critical bugs fixed include the following:

  • Mozilla Foundation Security Advisory 2007-18, which fixes crashes with evidence of memory corruption;
  • Mozilla Foundation Security Advisory 2007-23, which describes a Privilege escalation using an event handler attached to an element not in the document;
  • Mozilla Foundation Security Advisory 2007-19, which fixes a bug rated as High by Mozilla. It's a potential cross site scripting risk where scripts could be injected into another site's context by exploiting a timing issue.
  • Timing is also responsible for a low risk vulnerability addressed in Mozilla Foundation Security Advisory 2007-20 that could allow for Frame spoofing while a window is loading. According to Mozilla's advisory a pair of security researchers reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. "When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading," the advisory states.

    The Firefox 2.0.05 release follows the 2.0.0.4 release by almost two months. Mozilla has not updated its Firefox 1.5.x series as part of this release update. Firefox 1.5.x was retired in May.