FireFox 1.5.0.2 Released With Critical Security Fixes - Recommended
By Angsuman Chakraborty, Gaea News NetworkThursday, April 13, 2006
This is primarily a security fix release patching 5 critical defects and one high priority defect. Couple of them are regression defects (introduced in 1.5). The major feature is Universal Binary support for Mac OS X which provides native support for Macintosh with Intel Core processors. Firefox supports the enhancements to performance introduced by the new MacIntel chipsets.
The key fixes are:
MFSA 2006-29 Spoofing with translucent windows
An interaction between XUL content windows and the new faster history mechanism in Firefox 1.5 caused those windows to become translucent. This could be used to construct spoofs that could trick users into interacting with browser UI they can’t see. It’s possible a clever game-type presentation could persuade an unsuspicious user into some combination of actions that would result in running the attacker’s code. This is a regression bug. It was not there in 1.0.
MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented
The security check in js_ValueToFunctionObject() can be bypassed by clever use of setTimeout() and the new Firefox 1.5 array method ForEach. shutdown demonstrated how to leverage this into a privilege escalation vulnerability that would allow the installation of malware.
This is again a regression defect. This vulnerability was introduced during Firefox 1.5 development.
MFSA 2006-25 Privilege escalation through Print Preview
Georgi Guninski reported two variants of using scripts in an XBL control to gain chrome privileges when the page is viewed under “Print Preview”. This vulnerability exists even if web-content JavaScript is turned off.
MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest
shutdown demonstrated that the crypto.generateCRMFRequest method can be used to run arbitrary code with the privilege of the user, which could enable an attacker to install malware.
MFSA 2006-23 File stealing by changing input type
Claus Jørgensen reported that a text input box can be pre-filled with a filename and then turned into a file-upload control with the contents intact, allowing a malicious website the ability to steal any local file whose name they can guess.
Jesse Ruderman reported a variation, changing the type of the input control in an event handler to work around some of the initial checks.
MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
An anonymous researcher for TippingPoint and the Zero Day Initiative discovered an integer overflow triggered by the CSS letter-spacing property. This results in in under-allocating memory and ultimately a heap buffer overflow which could be exploited to run code of the attacker’s choice.
The overflow condition itself does not require JavaScript and thus could affect Thunderbird via received mail, but without scripting to prepare memory it may not be possible to exploit this condition in mail.
MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2)
As part of the Firefox 1.5.0.2 release we fixed several crash bugs to improve the stability of the product, with a particular focus on finding crashes caused by DHTML. Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code with enough effort.
Link