From the ‘time to update your browsers again’ files:
Barely two weeks after Mozilla patched Firefox to version 2.0.0.15, the 2.0.0.16 version is out patching a pair of critical flaws. Users of the newer Firefox 3.x version however will have to wait until later today to get their fixes in the 3.0.1 update. Both Firefox 2.x and 3.x are at risk from the same two flaws.
MFSA 2008-35 is the ‘infamous’ Safari carpet bombing flaw that has been known for months and first reported by researcher Billy Rios.
In Firefox 2 scripts running from file: URIs can read data from a user’s entire disk, a risk if the attacker could first place a malicious file in a guessable location on the local disk. Rios demonstrated that the so-called ‘Safari Carpet-bombing vulnerability’ could be used for this, as well as other techniques that do not rely on that now-fixed Safari vulnerability.
Apple fixed the flaw from the Safari side at the end of June. Firefox 3 which will get patched for the same flaw later today with version 3.0.1 apparently has limited risk from this vulnerability with Mozilla noting that, “in Firefox 3 scripts running in local files have limited access to other files.”
The second critical vulnerability patched has also been known for weeks – though it has not been disclosed publicly. It’s the one that comes from 3com’s Tipping Point Zero Day Initiative and deals with a remote code execution flaw that is triggered by overflowing the CSS reference counter.
The vulnerability was caused by an insufficiently sized variable being used as a reference counter for CSS objects. By creating a very large number of references to a common CSS object, this counter could be overflowed which could cause a crash when the browser attempts to free the CSS object while still in use.
URI type flaws like the ‘carpet bombing’ vulnerability are scary stuff and seem to crop up alot in browsers lately. But CSS related vulnerabilites – that’s something I personally have seen very little off in recent years. Though it is triggered by a JavaScript related issue, and certainly JavaScript issue are the most common type of browser vulnerability in Mozilla browsers.
Personally I think that the decision to patch 2.x one day and 3.x the next is a very risky security decision – regardless of the fact that Mozilla thinks there is less risk to Firefox 3. The reality is that users don’t patch as quickly as they should (though they do update Firefox faster than other browsers) and having a known vulnerability out there waiting to patch isn’t my idea of mitigating risk properly.