Mozilla is updating its mainline Firefox 3 browser with a security and stability update that provides at least nine security fixes, four of them “critical.” In addition to the latest version, 3.0.4, Firefox is pushing out 11 fixes for the older Firefox 2 browser, six of which are critical. If that wasn’t enough, Mozilla is […]
Mozilla is updating its mainline Firefox 3 browser with a security and stability update that provides at least nine security fixes, four of them “critical.”
In addition to the latest version, 3.0.4, Firefox is pushing out 11 fixes for the older Firefox 2 browser, six of which are critical. If that wasn’t enough, Mozilla is pushing forward at the same time on the development of its next browser platform Firefox 3.1 with Beta 2 testing.
Among the critical fixes in Firefox 3.0.4 is a flaw involving Cross Site Scripting (XSS) and JavaScript privilege escalation via a Firefox browser session restore.
Mozilla’s advisory on the flaw notes that the browser’s session restore feature can be used to run JavaScript in the context of another site. According to Mozilla, as a result of that flaw potentially, “any otherwise unexploitable crash can be used to force the user into the session restore state.”
Another critical flaw fixed in the update is one for a buffer overflow in the http-index-format parser. Mozilla credits Justin Schuh of the IBM X-Force security group for reporting the flaw. According to the advisory, by “sending a specially crafted header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim’s computer.”
Mozilla also provides a fix for a flaw that could have enabled an attacker to steal user information from local shortcut files. Mozilla labeled the flaw “moderate” due to the complexity of its execution, which requires two components.
The way the attack would work is that .url shortcut files could potentially be used to read local cache information if the user downloaded both an HTML file and a .url shortcut.
Firefox 2.x users get mostly the same fixes as the 3.x branch with a few notable exceptions. One of them is a critical fix involving the Adobe Flash Player and a potential arbitrary code execution issue. According to Mozilla’s advisory on the issue, the flaw occurs because there are insufficient checks to determine if the Flash Player module is being properly unloaded. A flash file that gets unloaded improperly could trigger a crash, which could open the door for arbitrary code to run.
There’s more to the fixes, such as a Firefox 2.x specific fix for an image stealing via canvas and HTTP redirect issue. According to Mozilla’s advisory A simple HTTP redirect could have been used to potentially steal private information from a victim who is logged into a Web site that stores data in images.
Though Mozilla is still updating its Firefox 2.x browser, it is recommending that user upgrade to Firefox 3.0.4. Mozilla has provided a direct migration path for Firefox 2.x user since August. Firefox 2.x is targeted to hit its end of life by the end of the year.
Firefox 3 was released on June 17th of this year while Firefox 2 was first released in October of 2006.
This article was first published on InternetNews.com.
Ethics and Artificial Intelligence: Driving Greater Equality
FEATURE | By James Maguire,
December 16, 2020
AI vs. Machine Learning vs. Deep Learning
FEATURE | By Cynthia Harvey,
December 11, 2020
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2021
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
