10 Bugs Fixed in New Mozilla Apps

The final version of the Firefox 2 generation made it's debut with a series of updates from Mozilla to address 10 vulnerabilities in their products. New versions of Firefox 3, Thunderbird and SeaMonkey are also out now for the same reason. Firefox 2.0.0.19 has no phishing protection anymore.

[Update: Well, turns out Firefox 2.0.0.19 will not be the last. A "clerical error" caused the omission of one of the updates for this version from the release. Sometime in the next few days Firefox 2.0.0.20 will be released to address this one vulnerability, which we are told is not an especially serious one.]

8 of the 10 vulnerabilities affect Firefox 3 which is now up to version 3.0.5, and 3 of them are rated Critical:

• MFSA2008-69: XSS vulnerabilities in SessionStore—Content could be injected into the session restore data, causing the browser to violate policies. This one also affects Firefox 2. Sounds difficult to exploit to me, but there aren't any details provided.
• MFSA2008-68: XSS and JavaScript privilege escalation—It's possible to attach commands to an unloaded document that will cause the browser to run Javascript with Chrome privileges. Serious. Affects all 4 apps, although by default Javascript is disabled in Thunderbird.
• MFSA2008-60: Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)—A common scenario in Mozilla disclosures: As the title says, there is memory corruption and they are reporting the worst-case outcome from them, which is entirely plausible. All four products affected.

Another vulnerability, rated High for severity, is interesting to read. MFSA2008-65: Cross-domain data theft via script redirect error message—. In this bug a special error condition is deliberately caused, exposing potentially sensitive data from the first domain session through the DOM.

The remaining errors in Firefox 3 are of either Moderate or Low severity.

There is one more Critical vulnerability, although it affects only Firefox 2: MFSA2008-62: Additional XSS attack vectors in feed preview—A previous bug fix in Firefox 2 turns out to be incomplete, and this fills the gap.

And we should add that actually, a new version of Thunderbird (version 2.0.0.19) may have been announced in the security bulletins but, as is usually the case, the software is not yet available. As of Wednesday morning 2.0.0.18 is still the version available for download.

Finally, and to repeat, Firefox 2.0.0.19 is the last of that generation of product. The official policy is that there will be no more updates, even for security issues. It's time to move on to Firefox 3. (story Link)