Firefox Browser Holes Plugged

Thursday, August 25, 2011 @ 11:08 AM gHale

Mozilla patched four critical memory safety bugs in the Firefox browser engine.

“Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code”, Mozilla officials said.

RELATED STORIES
Attacks Grow with Web App
Old Browser Plug-ins Big Attack Target
Trojan Sticks it to Super Glue
Malware Feeds Off Slow Patching

Another critical bug patched in Firefox 6 allowed unsigned JavaScript code to run a script inside a signed JAR file with the permissions and identity of that file.

Mozilla also fixed a critical flaw in the WebGL shader program, which “could cause a buffer overrun and crash in a strong class used to store the shader source code.” In addition, the company fixed a potentially exploitable heap overflow in the ANGLE library used by WebGL implementation and a “dangling pointer vulnerability” in a SVG text manipulation routine.

Also fixed in Firefox 6 were two high-risk flaws: Credential leakage using Content Security Policy reports and cross-origin data theft using canvas and Windows D2D.

Firefox 6 added domain highlighting in the URL to make phishing attempts more apparent. “The Awesome Bar (URL bar) highlights a Website’s domain name and the identity block is more prominent to help quickly identify where you are on the Web,” Mozilla officials said.



Leave a Reply

You must be logged in to post a comment.