Firefox update squashes 11 bugs

 

Gallery

By Stuart Turton

Posted on 12 Jun 2009 at 11:10

Mozilla's latest update to the Firefox browser brings with it 11 security fixes, including four for critical vulnerabilities.

Critical represents the Foundation's highest security level, and the majority of the bugs would have allowed attackers to run malware on affected computers.

Among the most serious of the holes plugged by the update was a flaw in the browser's JavaScript event handler allowing attackers to execute arbitrary code with local chrome privileges.

The patch also addresses another privilege escalation bug that allowed hackers to hijack chrome objects and run malicious code when visiting specific websites.

Mozilla also noted a race condition bug that popped up when deleting Java objects, giving attackers the ability to execute code held in the freed memory.

Also on the bug list is one fix ranked as high importance. This addresses a flaw in SSL handling that would have allowed an attacker to intercept CONNECT requests and run Javascript on the affected machine while pretending it had come from a secure site.

Interestingly, this bug was actually picked up by Microsoft back in January and passed along to the development team. The problem also affects SeaMonkey and Thunderbird.