In certain circumstances, according to the advisory, a JavaScript reference to a frame or window is not properly cleared when the referenced content went away. The pointer to the deleted object could potentially be used to execute arbitrary code. Security Advisory 2006-50 addresses JavaScript engine vulnerabilities. Called “JavaScript engine vulnerabilities,” the fix covers up additional places where an untimely garbage collection could delete a temporary object that was in active use. Some of these may allow an attacker to run arbitrary code given the right conditions. The critical Mozilla Foundation Security Advisory 2006-48, titled “JavaScript new Function race condition,” addresses a vulnerability that could potentially result in Moore is the co-author of the Metasploit Framework and is publishing one browser flaw a day every day in July as The critical Though that particular It released the Firefox 1.5.0.4 update at the beginning of June and corrected five critical
JavaScript
Mozilla Firefox browser. Unfortunately it may well also be the
trigger for many of its flaws.
Firefox 1.5.0.5 out today is the latest release of the open source browser
and patches no fewer than seven critical flaws, with some form of JavaScript
issue being at the heart of most of them.
Mozilla Foundation Security Advisory 2006-44, entitled “Code execution through deleted frame reference,” outlines one such highly critical JavaScript-related flaw.
Security Advisory
2006-45, entitled ” Javascript navigator Object Vulnerability,” is another critical JavaScript-related flaw, which,
if exploited, could allow an attacker to run arbitrary code.
At least one of the JavaScript-related flaws reported as part of the Firefox
1.5.0.5 release has its discovery credited to security researcher H.D Moore.
arbitrary code execution.
part of his Month of Browser Bugs effort.
Even some of the security advisories that don’t have the term “JavaScript”
in the title appear to be related to JavaScript in some way.
Mozilla Foundation Security Advisory 2006-46, titled “Memory corruption
with simultaneous events,” is a case in point.
advisory does not explicitly mention JavaScript in its description of the
flaw, JavaScript is part of the solution for the flaw. The workaround,
according to the Mozilla advisory, suggests that users Disable JavaScript until they can upgrade to a fixed version.
The 1.5.0.5 release is the fifth Firefox point release from Mozilla this
year.
vulnerabilities.
Mozilla’s next-generation 2.0 release is now in Beta 1, and
is expected to go to full release in September.