Critical Security Patches to Mozilla Firefox
On the heels of an announcement a couple of days ago from Adobe about security flaws in Acrobat, Reader, and Flash, Mozilla just released versions 3.5.2 and 3.0.13 of Firefox to patch two security flaws they're calling "critical".
From the Mozilla Foundation's security announcement,
"We strongly recommend that all Firefox users upgrade to this latest release....3.0 and 3.5 releases of Firefox have different vulnerabilities being patched with their respective releases, but each of them are definitely well worth taking the time to patch your browser to fix.
"This update can be applied manually by selecting 'Check for Updates...' from the Help menu."
Here's a brief recap of the fixes (for complete details visit the following URLs):
Firefox 3.0.13 Release Notes
| Firefox 3.0.13 Fixes | ||
| Mozilla Advisory # | Fix Details | Why It Matters |
|---|---|---|
| 2009-42 | "These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions." | A subtle flaw in the way HTTPS (i.e. SSL sites) have their security certificates handled in Firefox means an attacker could lead you to believe you're on a secure site, like your bank, when in fact, you're at their evil site--even if it looks perfectly legitimate. |
| 2009-43 | "This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client." | An attacker can craft a security certificate that will cause Firefox to run any code of their choosing on your computer. |
| Firefox 3.5.2 Fixes | ||
| Mozilla Advisory # | Fix Details | Why It Matters |
|---|---|---|
| 2009-45 | "Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code." | Memory corruption is never a good thing. In the case of software like Firefox, it can mean an attacker running code of their choosing on your PC. |
| 2009-46 | "Mozilla security researcher moz_bug_r_a4 demonstrated that the broken functionality was due to the window's global object receiving an incorrect security wrapper and that this issue could be used to execute arbitrary JavaScript with chrome privileges." | Similar story here: with enough care, an attacker could write code, Javascript in this case, to run code of their choosing on your computer. |
While we've not tested these various vulnerability and whether or not antivirus software could help insulate your PC from these various attacks, that's one of the things we rely on antivirus software for: protect our computers against unknown security issues.
A few things are definitely clear from this announcement:
- The bad guys aren't going to stop trying.
- Even good software like Firefox has bugs.
- If you think just because you're running Firefox, you're immune from such exploits, think again.
- While antivirus software may not help protect against every possible threat, it definitely helps mitigate the risks.
