RealTime IT News

Mozilla Firefox 3.0.9 Fixes XSS Flaws


Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT


sr-firefox3.jpg

From the "Don't refresh until you update" files:

Mozilla is out with Firefox 3.0.9 today, fixing at least one critical set of vulnerabilities and issuing 9 security advisories in total.

The one critical security issue is another "Crashes with evidence of memory corruption" advisory, which nearly every Firefox update of the past three years has included. More interestingly, Firefox 3.0.9 includes several fixes related to XSS (cross-site scripting) related flaws.

One of the XSS risks patched in the update, deals with same-origin violations in XMLHttpRequest (XHR). XHR requests are the lifeblood of AJAX communications and though Mozilla has only labeled this issue as being "High", in my view, it's the most serious issue fixed in 3.0.9.

Mozilla's advisory on the issue notes that, "An attacker could use this vulnerability to execute arbitrary JavaScript within the context of another site."

There is also a same origin violation (in my view, this is still XSS) with how Mozilla handles Adobe Flash. According to Mozilla's advisory on the Flash handling flaw, "The Flash file can bypass restrictions imposed by the crossdomain.xml mechanism and initiate HTTP requests to arbitrary third-party sites. This vulnerability could be used by an attacker to perform CSRF attacks against these sites."

[Continue reading this blog post at Netstat -vat by Sean Michael Kerner]