Mozilla has patched a pair of security vulnerabilities in its Firefox Web browser just in time for its release of security tools at the Black Hat security conference in Las Vegas this week.
The most notable security fix is the critical fix for a flaw that Mozilla
first blamed on browser rival Microsoft. Mozilla Foundation Security
Advisory 2007-27 is the open source group’s second attempt at fixing a flaw
dealing with passing bad addresses and information to external programs.
Mozilla has been struggling with versions of the flaw since it was first when
it was first reported July 10. The actual flaw involves the “firefoxurl://”
uniform resource identifier (URI) handler, which enables Firefox to call on
other Web resources.
In the Firefox 184.108.40.206 release issued July 18, Mozilla
claimed to have fixed the flaw and noted that Microsoft still had similar
issues and that the fix took care of Firefox.
However, Mozilla Chief Security Officer Window
Snyder admitted that Firefox was still at risk from the flaw a week later. She
pledged at the time that Mozilla would move quickly to fix the issue
A week later, here it is, Firefox 220.127.116.11.
“Jesper Johansson pointed out that Mozilla did not percent-encode spaces and
double-quotes in URIs handed off to external programs for handling, which
can cause the receiving program to mistakenly interpret a single URI as
multiple arguments,” Mozilla explained in its latest advisory.
“The danger depends on the
arguments supported by the specific receiving program, though at the very
least we know Firefox (and Thunderbird) 18.104.22.168 and older could be used to
run arbitrary script.”
The second fix in Firefox 22.214.171.124 also fixes an issue in Firefox that
Mozilla thought it had fixed in the Firefox 126.96.36.199 release.
Mozilla Foundation Security Advisory 2007-20 describes a privilege-escalation flaw.
According to Mozilla’s advisory, the flaw was introduced by the fix for a
frame-spoofing flaw that was fixed in the 188.8.131.52 release.
In addition to updating Firefox, Mozilla has also updated its Thunderbird
e-mail client for the same issues, to version 184.108.40.206 as well. The future of
Thunderbird itself is currently in question.
In a series of blog posts over
the last week, Mozilla’s CEO Mitchell Baker has indicated that she would
like to see Thunderbird spun out from under the auspices of the Mozilla
Corporation. No decisions have yet been made, nor has a timeline been
published as to when Thunderbird might be moved.
The Mozilla release notes for the 220.127.116.11 releases do not indicate whether
any flaws were fixed in Mozilla’s products as a result of the open source
groups own security scanning.
At Black Hat this week, Mozilla is expected to
release fuzzing tools that will enable developers to break the browser
in order to find and fix flaws.