Saturday, December 20, 2008

Critical update for Firefox released

Internet Explorer isn't the only browser to have been getting bolstered against malicious attacks this week – Firefox has been updated to version 3.0.5.

According to CNet the new version, trickled out to users via the in-built automatic update functionality of the browser earlier this week, has been released to fix a series of security flaws described as 'highly critical' that exist in the 3.0.x series of Mozilla's Firefox, as well as the 1.1.x versions of SeaMonkey and the 2.0.0.x series of e-mail client Thunderbird, which shares HTML and JavaScript engines with its browser relatives.

The updates – which move the software on to versions 3.0.5, 1.1.14, and 2.0.0.19 respectively – fix three main security flaws: errors in the layout and JavaScript engine that can be used to corrupt memory and possibly execute a malicious payload; a problem with the processing of the 'persist' XUL attribute which can allow user identification across browser sessions regardless of the cookie preferences the user has set; and an exploitable condition which allows third-party sites to possibly access sensitive information and execute arbitrary JavaScript code under the privileges of the browser.

As usual, the security problems within the browser stem from the use of JavaScript. If a user enables an add-on such as NoScript – which selectively disables JavaScript on untrusted sites and introduces novel protections against cross-site scripting and clickjacking attacks – then the attacks are ineffectual unless being run from a previously trusted site.

While the recently exposed security hole in Internet Explorer has been getting a lot of attention, this latest patch to the popular open-source browser shows that it's difficult to provide a balance of flexibility and security in an application as powerful as a web browser.

Has anyone fallen victim to an attack from a site via the recent Internet Explorer or Firefox vulnerabilities, or is it just a case of the developers keeping things as tightly secured as possible despite a lack of real-world exploitation? Share your thoughts over in the forums.

0 comments: