On Wednesday, Mozilla released Firefox 3.0.4 (download for Windows and Mac) and Firefox 2.0.0.18 to address a dozen security flaws, half of which the browser maker ranks as critical. Among the critical is one that could allow an attacker privilege escalation after a session restore. Another could allow arbitrary code to execute with compromised Flash media files.
The updates are pushed automatically to current users and will take effect the next time the browser is restarted. Updates will soon no longer be available for users of Firefox 2; the update is a security update only. Current users of Firefox 2 are encouraged to upgrade by manually downloading Firefox 3 as soon as possible.
MFSA 2008-55: Critical
A crash and remote code execution is possible in nsFrameManager. This vulnerability can be exploited by modifying certain properties of a file input element before it has finished initialising. Details can be found in CVE-2008-5021.
MFSA 2008-54: Critical
There is a buffer overflow in http-index-format parser as a result of the way Mozilla parses the http-index-format Mime type. Mozilla said by sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim's computer. Details can be found in CVE-2008-0017.
MFSA 2008-53: Critical
Mozilla said the browser's session-restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Details can be found in CVE-2008-5019.
MFSA 2008-52: Critical
Mozilla developers identified and fixed several stability bugs which may cause crashes in the browser engine used in Firefox and other Mozilla-based products. Details can be found in CVE-2008-5016 and CVE-2008-5017.
MFSA 2008-50: Critical
Mozilla said by tampering with the window.__proto__.__proto__ object, a remote attacker can cause the browser to place a lock on a non-native object, leading to a crash and possible execution of arbitrary code. Details can be found in CVE-2008-5014.
MFSA 2008-49: Critical
Mozilla said an SWF file that dynamically unloads itself from an outside JavaScript function can cause the browser to access a memory address no longer mapped to the Flash module, resulting in a crash. This crash could be used by an attacker to run arbitrary code on a victim's computer. Details can be found in CVE-2008-5013.
MFSA 2008-48: High
Mozilla said the canvas element in Firefox could be used in conjunction with an HTTP redirect to bypass same-origin restrictions and gain access to the content in arbitrary images from other domains. This vulnerability could be used by an attacker to steal private information from a victim who is logged into a website that stores the data in images. Details can be found in CVE-2008-5012.
MFSA 2008-57: High
Mozilla said the -moz-binding CSS property can be used to bypass security checks which validate codebase principals. Details can be found in CVE-2008-5023.
MFSA 2008-56: High
Mozilla said the same-origin check in nsXMLHttpRequest::NotifyEventListeners() can be bypassed. This vulnerability could be used to execute JavaScript in the context of a different website. Details can be found in CVE-2008-5022.
MFSA 2008-51: Moderate
Mozilla said URIs are given chrome privileges when opened in the same tab as a chrome page or privileged about: page. This vulnerability could be used by an attacker to run arbitrary JavaScript with chrome privileges. Details can be found in CVE-2008-5015.
MFSA 2008-47: Moderate
Mozilla said locally saved .url shortcut files could be used to read information stored in the local cache. Details can be found in CVE-2008-4582.
MFSA 2008-58: Low
There is a parsing error in E4X default namespace. The error was caused by quote characters in the namespace not being properly escaped. Details can be found in CVE-2008-5024.
