The Mozilla Foundation has owned up to a new list of vulnerabilities in its
code; these holes open up the frightening prospect of arbitrary code
execution by remote attackers. Any system running Firefox, Thunderbird,
SeaMonkey, or anything based on the underlying Mozilla components (RSS
aggregators) may be vulnerable, and should be looking for updates. Here's
what has been turned up:
problems with crypto.generateCRMFRequest() (CVD-2006-1728), a
security restrictions bypass vulnerability (CVE-2006-1726), a "cloned
parent" access restriction failure (CVE-2006-1734), and a regular
expression memory corruption bug (apparently no CVE number at the
- Cascading style sheets account for a couple of problems, including an
integer overflow bug (CVE-2006-1730) and an array overflow
- The Extensible
Binding Language (XBL) facility has an access restriction failure
(CVE-2006-1733) and a privilege escalation vulnerability
- Other troubles include "memory corruption via a particular sequence of
HTML tags" (CVE-2006-0749), a DHTML memory corruption bug
(CVE-2006-1724), and "an unspecified vulnerability" in how display
styles are handled.
vulnerabilities, but will do nothing for the rest of them. The only way to
protect against the full set is to update the software; new versions are
available from Mozilla. For distributor updates, see the LWN vulnerability entry.
A list of remotely-exploitable vulnerabilities this long is worrisome,
especially when it refers to a package as popular as Firefox. This browser
has gained millions of users; its reputation for better security is one of
the reasons for this success. But a single, widespread exploit of a
Firefox vulnerability could set things back in a hurry.
Unfortunately, it would seem that such an exploit is bound to happen,
sooner or later. A web browser is a seriously complex piece of code which
is simultaneously exposed to potentially hostile input from the net and
used for tasks requiring a high degree of trust - working with financial
sites, for example. Why should an attacker bother with phishing when a
browser vulnerability can enable the installation of a keystroke logging
"extension"? There can be no doubt that attackers will be tempted by a
potential payoff of that magnitude. We must hope that the security fixes
will continue to reach us ahead of the attackers.
(See also: the CERT advisory
for these vulnerabilities).
to post comments)