Mozilla patches three critical Firefox flaws

by Jeremy Kirk

February 8, 2008 —

Mozilla issued 10 patches on Friday for its Firefox browser, including three
for critical vulnerabilities. The latest version of Firefox is now 2.0.0.12.

One of the critical vulnerabilities, MFSA
2008-06, is a problem in the way the browser handles images on certain Web
pages.

It's possible to exploit the flaw to steal a person's Web browsing history,
forward that information and then crash the browser. It may also be possible
to run arbitrary code on a machine, Mozilla said.

A second
critical vulnerability can enable a privilege escalation attack or remote
code execution.

The last critical problem involves a memory
corruption flaw that "we presume that with enough effort at least some
of these could be exploited to run arbitrary code," Mozilla said.

Also notable is a fix for a problem with Mozilla's "chrome" protocol,
which is the term Mozilla uses for its user interface. The problem involves
some of Firefox's add-ons, or applications that users can download which extend
browser functionality.

The vulnerability would let an attacker determine what applications are installed
on a person's PC, which could give clues to how the machine could be compromised,
Mozilla said. However, a victim would have to be lured to a special malicious
Web page designed to take advantage of the flaw.

IDG News Service