Firefox 3.6.13 Is Out, 9 Critical Security Advisories Accompany It

Article by George Norman (Cybersecurity Editor)

on 10 Dec 2010

The Mozilla-developed Firefox web browser has been updated to version 3.6.13 and all Firefox users out there are well advised to get the update as soon as possible. They can get it in one of three ways:
1 – Wait for the automatic update prompt.
2 – Download Firefox 3.6.13 from Mozilla.com here.
3 – Manually trigger an update by clicking Check for Updates in the Help menu.

Why are Firefox users well advised to get the update? For one simple reason: security. You see, Firefox 3.6.13 is a stability and security update; it is accompanied by a grand total of 11 security advisories, 9 of which carry the critical rating.

Mozilla uses a 4-tier rating system: low, moderate, high, and critical. The critical rating is employed only when a “vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”

Getting back to the 9 critical security advisories, here are the details Mozilla made public.

MFSA 2010-82

Title: Incomplete fix for CVE-2010-0179
Description: the fix for CVE-2010-0179 could be circumvented permitting the execution of arbitrary JavaScript with chrome privileges.
Credit: Mozilla security researcher moz_bug_r_a4.

MFSA 2010-81
Title: Integer overflow vulnerability in NewIdArray
Description: An array could be constructed containing a very large number of items such that when memory was allocated to store the array items, the integer value used to calculate the buffer size would overflow resulting in too small a buffer being allocated. Subsequent use of the array object could then result in data being written past the end of the buffer and causing memory corruption.
Credit: Security researcher regenrecht.

MFSA 2010-80
Title: Use-after-free error with nsDOMAttribute MutationObserver
Description: A nsDOMAttribute node can be modified without informing the iterator object responsible for various DOM traversals. This flaw could lead to an inconsistent state where the iterator points to an object it believes is part of the DOM but actually points to some other object. If such an object had been deleted and its memory reclaimed by the system, then the iterator could be used to call into attacker-controlled memory.
Credit: Security researcher regenrecht.

MFSA 2010-79
Title: Java security bypass from LiveConnect loaded via data: URL meta refresh
Description: When a Java LiveConnect script was loaded via a data: URL which redirects via a meta refresh, then the resulting plugin object was created with the wrong security principal and thus received elevated privileges such as the abilities to read local files, launch processes, and create network connections.
Credit: Security researcher Gregory Fleischer.

MFSA 2010-78
Title: Add support for OTS font sanitizer
Description: Added the OTS font sanitizing library to prevent downloadable fonts from exposing vulnerabilities in the underlying OS font code. This library mitigates against several independently reported issues.
Credit: Red Hat Security Response Team member Marc Schoenefeld and Mozilla security researcher Christoph Diehl.

MFSA 2010-77
Title: Crash and remote code execution using HTML tags inside a XUL tree
Description: When a XUL tree had an HTML <div> element nested inside a <treechildren> element then code attempting to display content in the XUL tree would incorrectly treat the <div> element as a parent node to tree content underneath it resulting in incorrect indexes being calculated for the child content. These incorrect indexes were used in subsequent array operations which resulted in writing data past the end of an allocated buffer. An attacker could use this issue to crash a victim's browser and run arbitrary code on their machine.
Credit: Security researcher wushi of team509.

MFSA 2010-76
Title: Chrome privilege escalation with window.open and <isindex> element
Description: A web page could open a window with an about:blank location and then inject an <isindex> element into that page which upon submission would redirect to a chrome: document. The effect of this defect was that the original page would wind up with a reference to a chrome-privileged object, the opened window, which could be leveraged for privilege escalation attacks.
Credit: Security researcher echo and Mozilla security researcher moz_bug_r_a4.

MFSA 2010-75

Title: Buffer overflow while line breaking after document.write with long string
Description: On Windows platforms when document.write() was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display. Such cases triggered an invalid read past the end of an array causing a crash which an attacker could potentially use to run arbitrary code on a victim's computer.
Credit: Dirk Heinrich

MFSA 2010-74

Title: Miscellaneous memory safety hazards
Description: Several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances. With enough effort at least some of these could be exploited to run arbitrary code.
Credit: Jesee Ruderman, Andreas Gal, Nils, Igor Bukanov, and Brian Hackett.

Mozilla also released Firefox 3.5.16 - release notes here, download here. 3.5.16 is a stability and security update that fixes the same security issues 3.6.13 does.


Latest News


Sony's 'Attack of the Blockbusters Sale' Slashes Prices in Half for a Ton of PS4 Games

17 Aug 2017

How Samsung's New T5 Compares to the Old T3 Portable SSD (Infographic)

17 Aug 2017

See all