Mozilla Security Update Fixes 7 Vulnerabilities

This week, Mozilla patched seven vulnerabilities with the latest security update, available both with automatic updates and manual download from the company's website, for Firefox 1.5.0.10 and Firefox 2.0.0.2. The security update was originally slated for a February 21 release but was pushed back to accommodate a fix for the location.hostname vulnerability. The vulnerability allows malicious Web sites to manipulate authentication cookies for third-party sites. "We strongly recommend that all Firefox users upgrade to this latest release. This update resolves the location.hostname vulnerability and other security and stability issues. Thanks to the work of our contributors, we have been able to address these issues quickly in order to minimize the security risk to Firefox users," said Mike Schroepfer, VP of engineering at Mozilla.

The open-source software maker is already working on another serious bug that Michal Zalewski, a Polish security researcher, described as a memory-corruption issue on his mailing list, Full Disclosure: "I noticed that Firefox is susceptible to a pretty nasty, and apparently easily exploitable memory corruption vulnerability. When a location transition occurs and the structure of a document is modified from within onUnload event handler, freed memory structures are left in inconsistent state, possibly leading to a remote compromise."

News source: InformationWeek

Report a problem with article
Previous Story

Breakthrough in Blue Lasers Yields 10X Write Times

Next Story

Microsoft will fight to keep Office Live Name

14 Comments

Commenting is disabled on this article.

TRC said,
You may have an outdated version, mine works fine. Latest version is 5.0 Update 11.
JRE 6.0 reports that error.

NO, Mozilla fixed an old memory corruption flaw, but a new memory corruption flaw has been discovered and it's unpatched!

No! Read the article; at the end it says:

Mozilla says it's working on that bug as well.

But click on the link to the bug, and you see it is RESOLVED FIXED for 1.8.0.10 and 1.8.1.2!! (Michal was testing against firefox 2.0.0.1, in which the bug was present, but it got fixed on the road to 2.0.0.2 by a different patch).

Cryton said,
No! Read the article; at the end it says:

But click on the link to the bug, and you see it is RESOLVED FIXED for 1.8.0.10 and 1.8.1.2!! (Michal was testing against firefox 2.0.0.1, in which the bug was present, but it got fixed on the road to 2.0.0.2 by a different patch).

While what you meant to say is correct, you didn't quite interpret the bug correctly. The RESOLVED FIXED refers to the patch that was checked in on the trunk (the future Fx3), not the 1.8 branches. If you read the comments near the bottom, you'll see that the bug just plain and simple doesn't affect 1.5.0.10/2.0.0.2 due to another fix which went in prior to it being released. They added the fixed1.8.0.10 & fixed1.8.1.2 keywords to reflect it being fixed in 1.5.0.10 & 2.0.0.2 so Joe Q. Public going to that bug will see that it doesn't affect those releases.

That's weird I've updated to 2.0.0.2 twice now once last night and then I checked again after seeing this post and now I've apparently updated again