• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Firefox 3.6.x Gets its First Security Update – Mozilla Also Releases Security Updates for Legacy Firefox

March 31, 2010 By The Editor

On 24 March, 2010, we alerted LiveSecurity subscribers about Firefox 3.6.2, which corrected ten security vulnerabilities. When we first released this alert, the Mozilla Foundation had only released an update for the 3.6.x branch of Firefox. They had not released updates for the 3.0.x or 3.5.x branches of Firefox.

Yesterday, the Mozilla Foundation released Firefox 3.5.9 and 3.0.19, which fix many of the same vulnerabilities that Firefox 3.6.2 corrected. You can read more about the vulnerabilities these versions fix in our original alert, or the following Firefox Known Vulnerabilities pages:

  • Known Vulnerabilities for Firefox 3.0.x
  • Known Vulnerabilities for Firefox 3.5.x

If you can, we strongly encourage you use the latest branch of Firefox, 3.6.x. If you use 3.6.x, you probably already updated to version 3.6.2 when we sent our original Firefox alert, and can ignore this update. However, if you chose to stick with Firefox 3.0.x or 3.5.x for some reason, you should download and install Mozilla’s latest updates:

  • Firefox 3.5.9
  • Firefox 3.0.19 (only available via FTP)

For additional details about the original vulnerability, and as a convenient reference, we reproduce our original 24 March alert below. You can also find it in the LiveSecurity Latest Broadcasts archive.


Summary:

  • These vulnerabilities affect: Firefox 3.6  for Windows, Linux, and Macintosh
  • How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.2

Exposure:

In late January, the Mozilla Foundation released a new branch of Firefox, version 3.6. This week, Mozilla released the first security update for Firefox 3.6, specifically version 3.6.2 (they did not release 3.6.1). This update fixes at least ten (count based on CVE number) vulnerabilities that affect the latest version of Firefox. Mozilla rates four of these vulnerabilities as critical, which they define as flaws that  attackers can leverage to execute code and install software; requiring no user interaction beyond normal browsing. We summarize the most critical Firefox 3.6.x vulnerabilities below:

  • WOFF Integer Overflow Vulnerability (2010-08). Firefox 3.6 introduced support for Web Open Font Format (WOFF), a new downloadable font format that supports compression. Firefox’s WOFF decoder suffers from an integer overflow vulnerability that can cause heap memory corruption, which  attackers can leverage to execute arbitrary code. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this flaw to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Three Memory Corruption Vulnerabilities (2010-11). This update also fixes three other memory corruption vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser engine. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical

Mozilla’s alert describes six more vulnerabilities, including Cross-Site Scripting (XSS) flaws, browser defacement flaws, and issues that could help a phisher in social engineering attacks. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.2 fixes.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable Javascript (and other active scripts) by default.

Solution Path:

Mozilla has released Firefox 3.6.2, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.2 as soon as possible. Mozilla strongly recommends 3.0.x and 3.5.x users upgrade to 3.6.x, and so do we. If you are using an older version of Firefox, we recommend you move to 3.6.x, as it contains new security features, such as its ability to detect out-of-date and potentially insecure plug-ins and extensions.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

For All Users:

Many of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.2, fixing these security issues.

References:

  • Firefox 3.6.2 Release Notes
  • Vulnerabilities Fixed in Firefox 3.6.2

Share This:

Related

Filed Under: Security Bytes Tagged With: firefox, mozilla

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use