Mozilla today updated Firefox 2.0 for the first time, but the upgrade lacks at least one fix for a well known and already disclosed flaw in the open source browsers.
In late November, a Password Manager flaw was reported in Firefox, leaving users at risk for having their log-in information misappropriated by malicious sites.
The flaw allows a maliciously crafted page to auto-fill a form with credentials intended for another site.
There is no warning in Firefox 2.0 or previous versions that the credentials are being pulled for the wrong site and submitted to a third party.
As of 5 p.m. EST today, the Bugzilla entry for the flaw is still open.
However, Firefox 2.0.0.1 does feature fixes for five critical security flaws that could have left users at risk to arbitrary code execution and other attacks. The fixes are also reflected in Mozilla’s legacy 1.5.x browser in the new 1.5.0.9 release.
Mozilla Foundation Security Advisory 2006-68 fixes flaws that deal with crashes that hackers can use to corrupt memory for malicious purposes.
“As part of the Firefox 2.0.0.1 and 1.5.0.9 update releases we fixed several bugs to improve the stability of the product,” the Mozilla advisory states. “Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort.”
The Mozilla advisory cites three separate Common Vulnerabilities and Exposures (CVE) identifications (CVE-2006-6497, CVE-2006-6498 and CVE-2006-6499).
Another critical flaw fixed in the new Firefox release addresses a separate crash issue when using a certain CSS
According to the advisory, a miscalculated size during conversion of the image to a Windows bitmap can result in a heap buffer overflow which could be used to compromise the victim’s computer.
Crash issues aren’t the only critical flaws fixed.
Mozilla Foundation Security Advisory 2006-70 discusses a fix for a JavaScript flaw that could have led to privilege escalation.