Firefox patches address three critical vulnerabilities
Internet Explorer is apparently not the only browser this week that's the subject of preventative measures, as Mozilla revealed this morning that the real reason for issuing Firefox 3.0.5 was to prevent a possible wave of page hijacks.
While version 3.0.5 of Mozilla's Firefox browser was, for the most part, perceived as a bug fix, security bulletins released this morning by the organization warn that the update addresses new vulnerabilities that are awaiting official classification. Two of those cases involve violations of the company's same-origin policy, in which any script being run by a site or attachment sent by a site must derive from the same DNS address as the source page that refers to it.
It's this policy that's designed to prevent hijacking of a site by a malicious impostor. This morning, Mozilla is crediting one of its most prolific bug finders through the years -- who only identifies himself/herself as moz_bug_r_a4 -- for locating the flaws.
One of these cases involves XBL binding -- a newer and more modular way for developers to associate an element on an HTML page with functionality, templates, and stylesheet instructions, based on a standard from W3C. Some of that functionality may include JavaScript; and as moz_bug_r_a4 apparently discovered, if the XBL element is bound to a page that has not yet loaded, conceivably that JavaScript could come from anywhere. In other words, the same-origin policy only appears to apply when there is a page that sets the origin; without it, the script could hail from a malicious site.
The other moz_bug_r_a4 discovery reported this morning is an apparently clever way to inject Web page addresses into the automatic session restoration feature of the browser. If a malicious user can trigger the browser to crash, session restore could pull up an unwanted page among all the others, as it tries to restore the user's previous browsing session.
The third critical vulnerability reported this morning appears to be an umbrella case for several JavaScript integrity problems, in which browser crashes could lead to the execution of leftover code in memory, without privilege. No further details are known about these problems at this time.
This week's slate of bug fixes also triggered one more release of the venerable Firefox 2 series browser -- this time, version 2.0.0.19. The organization had made indications earlier that version 2.0.0.18 -- which removed a phishing filter feature that ended up being incompatible with Google's current list standards -- would be the last in that series.