Upgrade Me

On 01 APR 2010, the Mozilla Foundation announced a critical update for it’s popular Firefox web browser (we say popular, since 80% of you reading this are using it). The update corrects a critical security hole accessible from arbitrary code sent to the browser.

Mozilla Foundation Security Advisory 2010-25

Title: Re-use of freed object due to scope confusion
Impact: Critical
Announced: April 1, 2010
Reporter: Nils (MWR InfoSecurity)
Products: Firefox
Title: Re-use of freed object due to scope confusion

Fixed In: Firefox 3.6.3

Description

A memory corruption flaw leading to code execution was reported by security researcher Nils of MWR InfoSecurity during the 2010 Pwn2Own contest sponsored by TippingPoint’s Zero Day Initiative. By moving DOM nodes between documents Nils found a case where the moved node incorrectly retained its old scope. If garbage collection could be triggered at the right time then Firefox would later use this freed object.

Note: The contest winning exploit only affects Firefox 3.6 and not earlier versions. We will be patching Firefox 3.5 in an upcoming release just in case there is an alternate way of triggering the bug.

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=555109
• CVE-2010-1121

This update follows another critical security hole less than 2 weeks earlier. The product can be downloaded from their website or by using the Check for Updates feature of the software (it’s a very quick update).

Upgrade Me

If you’re running Firefox 3.6, Mozilla strongly recommends you update to version 3.6.2. The new version corrects a critical security hole allowing an attacker to crash your browser and/or run arbitrary code on your machine.

The Security Warning advises:

Mozilla Foundation Security Advisory 2010-08

Title: WOFF heap corruption due to integer overflow
Impact: Critical
Announced: March 22, 2010
Reporter: Evgeny Legerov
Products: Firefox 3.6

Fixed in: Firefox 3.6.2

DESCRIPTION

Security researcher Evgeny Legerov of Intevydis reported that the WOFF decoder contains an integer overflow in a font decompression routine. This flaw could result in too small a memory buffer being allocated to store a downloadable font. An attacker could use this vulnerability to crash a victim’s browser and execute arbitrary code on his/her system.

Note: Support for the WOFF downloadable font format is new in Firefox 3.6 (Gecko 1.9.2); this vulnerability does not affect products built on earlier versions of the Mozilla browser engine.

REFERENCES

• https://bugzilla.mozilla.org/show_bug.cgi?id=552216
• CVE-2010-1028

Firefox recommends that all users upgrade to version 3.6.2 to correct this issue. The product can be downloaded from their website or by using the Check for Updates feature of the software.