A Trio of Memory Flaw Fixes for Mozilla Firefox 3

While rivals are pushing the latest editions of their own browsers, Mozilla is getting its own house in order with an update to its open source Firefox Web browser that locks down at least five vulnerabilities, three of which it warned are critical.

The Firefox 3.0.7 update also fixes a number non-security bugs that had affected browser stability.

The update comes at the same time that Mozilla’s developers continue to ramp up their oft-delayed, next-generation Firefox 3.1 release, as competitors push out their own new browsers’ betas with Microsoft IE 8, Apple Safari 4 and Google Chrome 2.

For the critical fixes in Firefox 3.07, memory related issues are a big concern. In its Mozilla Foundation Security Advisory 2009-07 for one of the fixes, Mozilla addresses what it describes generically as, “Crashes with evidence of memory corruption.” The crash conditions potentially could have enabled an attacker to execute arbitrary code on a vulnerable browser installation.

Mozilla provides more detail on another memory crash condition, through a separate critical advisory dealing with PNG images. According to Mozilla, there were memory safety hazards in the libraries that Mozilla was using to handle PNG files. As a result, an attacker could potentially have generated a malicious PNG image that could trigger a crash, thereby enabling the attacker to execute unauthorized code.

A third critical security vulnerability repaired in the update is also memory-related and has to do with how Mozilla manages memory relating to user-interface components — specifically page elements based on Extensible User-Interface Language, or XUL .

“The vulnerability was caused by improper memory management of a set of cloned XUL … elements which were linked as a parent and child,” Mozilla stated in its advisory. “After reloading the browser on a page with such linked elements, the browser would crash when attempting to access an object which was already destroyed.”

Also fixed in the Firefox 3.0.7 is a cross-site scripting issue rated by Mozilla as having a “high” impact. According to Mozilla’s advisory, the vulnerability could have enabled an attacking Web site to take data from users who are authenticated on another site.

“A Web site could use nsIRDFService and a cross-domain redirect to steal arbitrary XML data from another domain, a violation of the same-origin policy,” Mozilla said.

Spoofing, which is an issue that could lead to phishing attacks, is also addressed in the Firefox 3.0.7 update.

“Mozilla contributor Masahiro Yamada reported that certain invisible control characters were being decoded when displayed in the location bar, resulting in fewer visible characters than were present in the actual location,” Mozilla’s advisory stated. “An attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious Web page.”

The Firefox 3.0.7 update is Mozilla’s second Firefox 3.x update of the year and follows the 3.0.6 update by nearly a month.

On the development side, Mozilla developers are still working on Firefox 3.1, which will introduce new performance and security features. Currently stalled at Beta 2, a Beta 3 release is in the works with Beta 4 to follow.

A new JavaScript engine called TraceMonkey is likely to be the marquee feature in the upcoming browser. JavaScript performance has emerged as a key metric on which browser vendors are now competing, with Mozilla, Apple and Google in particular placing an increasing amount of focus on squeezing extra speed out of their browsers’ engines.

News Around the Web