Mozilla Patches Some Firefox Holes

Mozilla updated its flagship Firefox browser to version 2.0.0.2 and
the legacy version to release 1.5.10. The updated browser fixes at least seven flaws, including a password vulnerability bug rated critical last November.

The Mozilla Foundation Security Advisory 2007-02, broadly titled “Improvements to help protect against Cross-Site Scripting attacks,” provides a fix for the password vulnerability flaw. The advisory is listed as having low impact, though the original bugzilla entry page for
the password flaw listed the flaw as critical.

According to Mozilla’s advisory, Firefox 2.0.0.2 and 1.5.0.10 both contained
several small changes that are intended to make it easier for sites to
protect visitors against Cross-Site Scripting (XSS) attacks.

The one critical bug identified by Mozilla in the latest release is a
crash condition that could lead to a memory corruption, according to Mozilla’s advisory.

“Some of these were crashes that showed evidence of memory corruption and we
presume that with enough effort at least some of these could be exploited to
run arbitrary code,” the advisory said.

A high impact bug titled “Embedded nulls in location.hostname confuse
same-domain checks” is also fixed in the new release. The location.hostname
bug was recently disclosed by Polish security researcher Michal Zalewski.

According to the Mozilla advisory, this flaw could potentially allow a malicious page to set domain cookies for any arbitrary site. “This also allows setting document.domain to any arbitrary value which could
be used to perform a cross-site scripting attack against any page which also
sets document.domain.”

Mozilla also fixed three bugs with a vulnerability rating of “moderate.” Those include an information disclosure bug, a potential cross site scripting flaw by opening blocked popups and a potential SSL  buffer overflow condition.