Mozilla Fixes 12 Flaws in Firefox Browser

Mozilla late last week released 12 patches for its popular open source browser. Five of the patches issued in Firefox 1.5.0.4 were labeled “critical.”

Mozilla has issued four security updates to the 1.5 edition of the browser since it was made available last November. The last round of security fixes, released last April, included a whopping 24 patches, plugging 11 critical holes.

“Firefox 1.5.0.4 is a security update that is part of our ongoing program to provide a safe Internet experience for our customers,” Mozilla said on its Web site. “We recommend that all users upgrade to this latest version.” Users of Firefox 1.5 or newer will receive the patches automatically.

Users at Risk

“Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP response smuggling attacks, and potentially compromise a user’s system,” Secunia reported last week.

The HTTP response smuggling attacks, which take advantage of Mozilla’s lenient handling of HTTP header syntax, could allow a malicious code writer to steal login cookies or other sensitive data if the user has an account at the spoofed site.

Some flaws could be used by hackers to create buffer overflows that would allow a perpetrator to plant malicious code on a victim’s computer. Other flaws could let attackers run malicious JavaScript without the user’s permission. Mozilla team members also discovered several crashes during testing of the browser engine showing evidence of memory corruption it presumes would be exploitable.

Since Thunderbird, Mozilla’s e-mail client, shares the browser engine with Firefox, it could also be vulnerable to some of these attacks. Mozilla also patched eight flaws in Thunderbird in 1.5.0.4 and fixed a long list of bugs in its SeaMonkey project with the release of the 1.0.2 version, a follow-up to the now-defunct Mozilla browsing suite.

Facing Realities

Regardless of antivirus and other security features, an infinite number of exploits will continue to threaten browser users. Until the patches are deployed, those users are left facing identity theft and other risks. That’s when users need to exercise some common sense and not click on links from unknown senders, said IronPort CTO Patrick Peterson.

“The industry has chased a lot of malware writers out of the spam world, so they see the browser as a greener field,” Peterson said. “They will develop more sophisticated tools and increase the volume of attacks until they get to the point of diminishing return where the browser doors are locked. Then they’ll move on to the next thing.”

The Next Target

The next thing may be the operating system, which is indeed a major target for attackers.

Secunia reported an overflow vulnerability in Microsoft Windows last Thursday, for example, that could be exploited by malicious people to cause a denial-of-service attack on certain applications on a user’s system. The browser could play a role in an attacker’s success with this exploit.

The vulnerability is caused due to a boundary error in inetcomm.dll within the processing of URLs with the “mhtml:” URI handler. This can be exploited to cause a stack-based buffer overflow via an overly long URL by tricking a user into visiting a malicious Web site with Internet Explorer or opening a specially crafted Internet shortcut.

The vulnerability has been confirmed on a fully patched system with Microsoft Windows XP SP2 and Microsoft Windows 2003 Server. Secunia, however, has rated the flaw as “less critical.”

Experts predict no slowing in the number of attacks via e-mail, operating system, browser or instant messenger as cybercriminals continue to look for ways to make quick cash at the expense of naive Internet users.