It has been over two weeks since Firefox 3.0 was released, but the vast majority of Firefox users are still on Firefox 2.x. Mozilla is out today with a new version Firefox 2.0.0.15 that fixes at least 12 different security issues four of them marked as critical.
There is no corresponding update to Firefox 3.x yet though Firefox 3.0.1 should be out in the next week or so.
One of the critical fixes for 2.0.15 there is one omnibus advisory in MFSA 2008-21 for ‘memory corruption vulnerabilities’. Mozilla tends to have one of these in every update where they basically look at crash reports and see that they could have led to security risks.
A vulnerability listed as ‘high’ by Mozilla (which I would have rated as critical) that is very interesting is a Cross Site Scripting (XSS) issue that doesn’t sound to hard to pull off. According to the advisory:
Mozilla contributor moz_bug_r_a4 submitted a set of
vulnerabilities which allow scripts from one document to be executed in
the context of a different document. These vulnerabilities could be
used by an attacker to violate the same-origin policy and perform an XSS
attack against arbitrary sites, potentially stealing or manipulating
the user’s private information on the victim site.
Another ‘high’ vulnerability that sounds freakishly scary to me is an Arbitrary file upload vulnerability. I have never heard of such a thing before personally. According to Mozilla’s advisory on the issue the flaw could have allowed malicious content to force the browser into uploading
local files to the remote server. This flaw could have been used by an attacker to
steal files from known locations on a victim’s computer. According to Mozilla,
Firefox 3 is not vulnerable to this attack due to the changed
design of the file upload form element.
There is also a flaw rated as ‘moderate’ (but again I think it’s deserving of more) for an issue that involves Windows shortcuts. According to the advisory:
Mozilla community member Geoff reported that URL shortcut
files on Windows (for example, saved IE favorites) could be interpreted as if
they were in the local file context when opened by Firefox, although the
referenced remote content would be downloaded and displayed. Scripts loaded
from the remote site would have access to all local file content in Firefox 2
if they were programmed to look for it.
Mozilla notes that Firefox 3 already includes protections to mitigate this risk.
Overall Firefox 2.0.0.15 is a very interesting release from my point of view for a number of reasons. It shows flaws that are very creative and interesting – yet are already fixed in the current version of Firefox 3. It will be VERY INTERESTING to see if any of these actually aren’t yet actually fully fixed in Firefox 3, but we might not know that till the 3.0.1 release.
Mozilla has already stated that they will continue to support Firefox 2.x for six more month – until the 3.5 release which Mozilla expects to ship by the end of 2008.