Mozilla Closes Platform Holes

Thursday, July 19, 2012 @ 06:07 PM gHale


Mozilla offered some details of the security fixes in the new versions of its Firefox web browser, Thunderbird news and email client, and the SeaMonkey “all-in-one Internet application suite.”

Based on the same Gecko platform, version 14.0 of Firefox and Thunderbird, and version 2.11 of SeaMonkey closed a number of the same security holes, some of which rate as “critical” by the project; updates have also gone out for the “enterprise” versions of Firefox and Thunderbird to address these issues.

RELATED STORIES
Browser Update: Advantage Bad Guys
Privacy Issues with Firefox Tabs
Flash Update Fixes Firefox Crashes
Flash Patch Hits Firefox 13

These critical vulnerabilities include a code execution problem related to javascript: URLs, a JSDependentString::undepend string conversion bug and attacker can exploit to cause a crash, a same-compartment Security Wrappers bypass issue, and various memory safety hazards. They also took care of a critical use-after-free problems, an out-of-bounds read bug, and a bad cast in the Gecko engine that could lead to memory corruption. Some of these vulnerabilities and attacker could exploit remotely to execute arbitrary code on a victim’s system, Mozilla said.

The developers also corrected three high-risk vulnerabilities – including location spoofing and data leakage issues – and three moderate security bugs.

Additionally, the update to Firefox closes a high-risk cross-site scripting (XSS) problem, and two moderate issues. Many of these same vulnerabilities ended up addressed in version 10.0.6 of Mozilla’s “enterprise” Extended Support Releases (ESR) of Firefox ESR and Thunderbird ESR.



Leave a Reply

You must be logged in to post a comment.