Tuesday, March 31, 2009

Mozilla Fixes Critical Firefox Flaws

Mozilla released fixes for two critical security vulnerabilities Friday, which covered the way for hackers to begin malicious attacks that could crash a browser or take complete control of a user's computer.

The latest Firefox version 3.0.8, which initially was slated for release April 1, addresses critical errors affecting multiple versions of the Firefox 3 Web browser.

One of the critical Firefox updates repaired a critical flaw, made public during the renowned pwn2own contest at the CanSecWest 2009 hacker conference earlier in March that could allow hackers to launch a drive-by attack in the context of the browser.

The flaw was publicly demonstrated by a German hacker known only as Nils, 25, who successfully hacked the browser in exchange for a Sony Vaio machine running Windows 7.
The second critical bug, affecting Firefox version 3.0.7, stems from a XSLT vulnerability that resulted from improper handling of errors when transforming an XML document. The flaw, which was first brought to light by security researcher Guido Landi, could potentially be exploited by attackers who enticed unsuspecting users to open a malicious file using the affected Firefox browser. Once the victim viewed an infected file, attackers could then execute arbitrary code on the user's computer to crash the browser or initiate a denial of service attack.

While the execution of arbitrary code hasn't been proven in the XSLT flaw, it is also not entirely ruled out, Secunia researchers said in blog post.

Mozilla said in its advisory Thursday that it had been investigating both issues and was in the process of undergoing quality assurance testing for the impending fixes, implying that they would be forthcoming soon.

Security experts recommended that users update their browsers with the latest version of Firefox in order to protect vulnerable systems from attack. Additionally, Secunia researchers advised in a blog post that users avoid opening untrusted Web sites or clicking on unsolicited links, which might contain malware.

Some Related Search:
Browser Support Services
Firefox will not start after installing or updating McAfee SiteAdvisor
Outlook Live for IE, Firefox and Safari

0 comments: