Saturday, March 26, 2005

Firefox 1.0.2

After releasing Mozilla 1.7.6, Mozilla Foundation quickly released an update to Firefox, called 1.0.2 which fixed 3 vulnerabilities :

- MFSA 2005-32 Drag and drop loading of privileged XUL : A malicious page that could lure a user into dragging something (such as a fake scrollbar) can bypass the restriction on opening privileged XUL. The startup scripts in the XUL will run with enhanced privilege, though the actions taken upon merely opening most XUL are benign. So far no way to run arbitrary code supplied by the attacker has been found, but this could be a stepping-stone to future attacks.

- MFSA 2005-31 Arbitrary code execution from Firefox sidebar panel : If a user bookmarked a malicious page as a Firefox sidebar panel that page could execute arbitrary programs by opening a privileged page and injecting javascript into it.

- MFSA 2005-30 GIF heap overflow parsing Netscape extension 2 : An GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine.

This vulnerabilities has been fixed in 1.7.6 which released earlier.

No comments:

Post a Comment