Gestern ist das automatische Update für Firefox wieder angesprungen. Die neue Version 18.104.22.168 schließt drei kritische Lücken:
Mozilla Foundation Security Advisory 2008-01: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox 22.214.171.124 and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
Mozilla Foundation Security Advisory 2008-03: Mozilla contributors moz_bug_r_a4 and Boris Zbarsky submitted a series of vulnerabilities which allow scripts from page content to escape from its sandboxed context and/or run with chrome privileges. An additional vulnerability reported by moz_bug_r_a4 demonstrated that the XMLDocument.load() function can be used to inject script into another site, violating the browser’s same-origin policy.
Mozilla Foundation Security Advisory 2008-06: Mozilla contributor David Bloom reported a vulnerability in the way images are treated by the browser when a user leaves a page which utilizes designMode frames. The reported issue can be used to steal a user’s navigation history, forward navigation information, and crash the user’s browser. The crash showed evidence of memory corruption and might be exploitable to run arbitrary code.
Ein als „hoch“ eingestuftes Sicherheitsloch:
Mozilla researcher moz_bug_r_a4 reported that this vulnerability could be used to steal the contents of the browser’s sessionstore.js file, which contains session cookie data and information about currently open web pages.
Sowie drei „moderate“ und drei als niedrige Gefahr eingestufte Lücken. Die Informationen dazu finden sich hier.