Mozilla Releases Firefox 3.5.6 and 3.0.16 to Fix 11 Vulnerabilities
Summary:
- This vulnerability affects: Firefox 3.5.5 (and previous versions) for Windows, Linux, and Macintosh
- How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
- Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
- What to do: Upgrade to Firefox 3.5.6 (or legacy Firefox 3.0.16)
Exposure:
The Mozilla Foundation released Firefox 3.5.6, fixing at least 11 vulnerabilities (we typically base our count on CVE-IDs) in their popular web browser. They also released Firefox 3.0.16 to fix security vulnerabilities in the legacy version of Firefox. Three of the vulnerabilities have been rated as critical, which they define as a vulnerability that can be used to run attacker code and install software, requiring no user interaction beyond normal browsing. We summarize the most critical Firefox 3.5.x vulnerabilities below:
- Integer Overflow, Crash in Libtheora Video Library (2009-67). An attacker would first have to trick one of your users into visiting a malicious web page with a specially crafted video that writes data past the bounds of the buffer, causing a crash and potentially the ability to run arbitrary code on a victim’s computer. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
Mozilla Impact rating: Critical
- Memory Safety Fixes in Liboggplay Media Library (2009-066). Again, the bugs which were fixed could potentially be used by an attacker to crash a victim’s browser and execute arbitrary code on their computer.
Mozilla Impact rating: Critical
- Buffer Overflow Vulnerability in GIF Parser (2009-065). This addresses several crashes in the brower engine used in Firefox and other Mozilla products. Mozilla warns that with enough effort at least some of these could be exploited to run arbitrary code. As usual, if your user has local administrative privileges, the attacker gains complete control of the user’s machine.
Mozilla Impact rating: Critical
Mozilla’s alert describes several more vulnerabilities. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that the 3.5.6 update fixes. You can also visit the 3.0 Known Vulnerabilities page, to check out the fixes in 3.0.15.
Solution Path:
Mozilla has updated Firefox 3.5, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.5.6 as soon as possible. They have also released updates for the 3.0.x line of Firefox, which you can find here. However, we recommend 3.0.x users update to 3.5.x to keep current with the latest version of Firefox.
Note: The latest version of Firefox 3.5 automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.
For All Users:
Many of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
Status:
The Mozilla Foundation has released Firefox 3.5.6, fixing these security issues.
