Latest Mozilla updates, including Firefox, address a serious vulnerability
Some of Mozilla's best researchers into the field of cross-site scripting discovered another instance where code from one site can be made to control the interface of another. As it turns out, version 3.0.6 software contains the fix.
Users of Firefox 3 began seeing notices yesterday that version 3.0.6 has been formally released. Along with those notices is a complete list of bug fixes and addressed issues, one of which is the revelation of a potentially serious -- though far from blatantly obvious -- series of exploitable flaws that could lead to the execution of arbitrary code.
In fact, were it not for the contributions of open source researchers including the now-legendary moz_bug_r_a4, very few malicious users may have ever discovered these flaws on their own. As Mozilla developers know, the Firefox Web browser, the Thunderbird e-mail client, and the Netscape Navigator-like SeaMonkey comprehensive Internet utility all use JavaScript for the rendering of their front ends, controls, and gadgets. It's a very easy language to manipulate, and for supporting developers to make add-ons for.
But because Web sites themselves typically also execute JavaScript, it's critically important for the browser or e-mail client to distinguish the sources of what it's executing. On the one hand, software that changes the behavior of the application -- what Mozilla developers call "chrome" -- may be what the user wants or intentionally installed. On the other, it may be something picked up accidentally.
And that's the basis of the cross-site scripting vulnerabilities that moz_bug_r_a4 and company have been concentrating on. Mozilla software tries to adhere to a same origin policy, where JavaScript code can only manipulate pages or windows generated by the URLs that generated them. That policy is more and more difficult to enforce given the more complex nature of the bindings that relate JavaScript code to their designated on-screen graphic objects. With the Extensible Bindings Language (XBL) that's responsible for marshaling the "chrome" in Mozilla apps such as Firefox, there are three critical components: the code that represents the graphic object (written in XUL), the CSS code in the stylesheet that essentially states that the object exists, and the XBL bindings that relate the object instantiated by the CSS code to the definition in the XUL code.
It's a complex system, which isn't surprising in the case of Web standards. Probably because it's a complex system, Mozilla testers are finding more and more instances where the binding that should pair a graphic object with a behavior specifically, ends up pairing that object to any behavior that comes down the pike. For obvious reasons, the details of precisely how this latest hole works, have not been revealed; but as even the US Dept. of Homeland Security acknowledges today, the solution is already available in the form of Firefox 3.0.6 and its associated apps.
Also, since version 3.0.4, I've seen some evidence that the old memory leak bugs from Firefox 2 had been creeping back. I'd suspected Tab Mix Plus, a popular (and much-loved) plug-in, and I've even taken some guff for making my suspicions public. Well, as testers, if we don't discuss the problems we're having and if we don't suspect even the software we love, we'll never find a solution. In any event, my most recent tests appear to indicate that, although Firefox without Tab Mix Plus appears to exhibit the memory leak less often, it can still happen. In other words, the add-on exacerbates what is probably an existing problem -- which means it may not be the add-on's "fault," though it could unintentionally be making a bad problem worse.
In any event, Mozilla's latest round of updates also list memory allocation problems as among the reported faults that developers have addressed, so we will begin a fresh round of tests to see if this behavior appears to have changed.