- These vulnerabilities affect: Firefox 3.6.3 for Windows, Linux, and Macintosh
- How an attacker exploits it: Typically by enticing one of your users to visit a malicious web page
- Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
- What to do: Upgrade to Firefox 3.6.4, or let Firefox’s automatic update do it for you
Yesterday, Mozilla released an advisory describing ten (count based on CVE number) vulnerabilities in Firefox 3.6.3 (and earlier versions) running on all platforms. Mozilla rates more than half of these vulnerabilities as critical; meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.3 vulnerabilities below:
- XSLT related Integer Overflow Vulnerability (2010-30). Extensible Stylesheet Language Transformations (XSLT) is an XML-based language used to change one XML document into another XML document. A routine Firefox uses to sort XSLT nodes suffers from an integer overflow vulnerability that can cause memory a buffer overflow. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
Mozilla Impact rating: Critical
Mozilla Impact rating: Critical
- DOM related Buffer Overflow Vulnerability (2010-29). The Document Object Model (DOM) is a W3C specification for representing structured documents as objects, in a platform and language neutral manner. Some of Firefox’s DOM code suffers from a buffer overflow vulnerability. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this flaw to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. As usually, attacker may gain full control of your users’ computers if they have administrative privileges.
Mozilla’s alert describes four more vulnerabilities, including another code execution flaw, a potential Cross-Site Scripting (XSS) vulnerability, and an issue that could allow an attacker to record your keystrokes, or inject extra ones. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.4 fixes.
The vulnerabilities alone should convince you to upgrade, but if you need more reason, Firefox 3.6.4 also comes with a neat new feature called “plug-in isolation”. This feature should significantly improve Firefox’s stability. Part of Firefox’s draw lies in its extensive library of third party extensions or plug-ins, which deliver extra functionality to the popular browser. Previous to plug-in isolation, these extensions or plug-ins ran within the Firefox process, which meant that if a third party plug-in crashed, Firefox would crash. With Firefox 3.6.4, plug-ins now run as external processes, so Firefox can stay running even if a plug-in crashes. If you use third party extensions and plug-ins and have experienced Firefox crashes, this new feature may lessen crashes outside of Mozilla’s control.
Mozilla has released Firefox 3.6.4, correcting ten security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.4 as soon as possible.
Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.
For All Users:
This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
The Mozilla Foundation has released Firefox 3.6.4 to fix these vulnerabilities.