Download Index

In-Depth Reviews

Tips & Tutorials

Updates

News

Browsers

Chat / Conferencing

Desktop Utilities

Development

Internet Apps

Multimedia

OS Service Packs

Productivity Tools

Download of the day • Internet Explorer 8

Most Popular Software Downloads • Opera • Internet Explorer 7 • QuickTime for Windows • Winamp • Mozilla Firefox 3 • Ad-Aware 2008 Free • Adobe Flash Player • Paint Shop Pro • Adobe Shockwave Player • AVG Anti-Virus Free • 7-Zip Most Popular Software Articles • Windows Vista Tips & Tricks, Part 1 • Windows Vista: Worthy of the Hype? • Windows Wireless Zero Configuration: Five Steps to Sanity

Critical Flaws Flagged in Mozilla, Thunderbird
Vulnerabilities Patched in New Releases of Firefox and Thunderbird
Ryan Naraine

The Mozilla Project has issued a warning for a series of "highly critical" security holes in three of its core projects, including its flagship Firefox Web browser and the Thunderbird e-mail client.

The vulnerabilities, which also affect the Mozilla browser suite, could potentially be exploited by malicious people to conduct cross-site scripting attacks, access and modify sensitive information, and compromise a user's system.

The open-source group has already fixed the bugs and is urging users to upgrade to Mozilla 1.7.3, Firefox 1.0 Preview Release, and Thunderbird 0.8.

The news comes just days after the open-source project issued a initial preview release of Firefox 1.0, which features an integrated RSS (define) reader that displays "live bookmarks," a new "Find" tool, and an updated plug-in installer.

An advisory released by Secunia warned that the flaws carry a "highly critical" rating.

Secunia listed seven vulnerabilities that affect the Mozilla products, including various boundary errors that can be exploited to cause heap-based buffer overflows when a specially crafted e-mail is forwarded or opened.

A successful attack could lead to the execution of malicious code to completely hijack a vulnerable machine.

Another flaw exists where insufficient restrictions on script generated events on text fields can be exploited to read and write content from and to the clipboard.

Secunia also warned of a problem with overly long links containing non-ASCII characters that can be exploited via a malicious Web site or e-mail to cause a buffer overflow.

"An integer overflows when parsing and displaying BMP files [that] can potentially be exploited to execute arbitrary code by supplying an overly wide malicious BMP image via a malicious website or in an e-mail," the research firm said.

It also highlighted a problem with the way Mozilla allows the dragging of links to another window or frame. "This can be exploited by tricking a user on a malicious Web site to drag a specially crafted javascript link to another window," Secunia said, warning that a malicious attacker could execute script code in the context of that window. "Further exploitation can in combination with another unspecified vulnerability lead to execution of arbitrary code," the company added.

News courtesy of internetnews.com

September 16, 2004

Download Mozilla Firefox Now!

Download Mozilla Thunderbird Now!

Download Mozilla Now!

View All Web Browsers

Contents:
1. Vulnerabilities Patched in New Releases of Firefox and Thunderbird