Print this article  |  E-mail this article  |  Comment on this article

Mozilla addresses memory corruption issues in Firefox 2 fix

By Ed Oswald, BetaNews

March 26, 2008, 10:49 AM

Mozilla issued its 13th update to alternative browser Firefox 2, fixing six issues, two of which the company called critical.

"Some vulnerabilities and weaknesses have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, conduct cross-site scripting and phishing attacks, and potentially compromise a user's system," security firm Secunia said of the fixes.

According to advisories, some of the problems also affect Thunderbird and SeaMonkey. Of the critical issues, "several" issues were fixed that appeared to be memory corruption issues. Mozilla presumes that arbitrary code could be executed with enough effort.

That issue, as well as the other critical update which deals with privilege escalation and code execution risk in Mozilla products, can be exploited through JavaScript. Scripts could be run with elevated privileges and the browser could be used to run cross-site scripting and code execution, it said.

Two high priority fixes were also issued, which dealt with an XUL popup spoof, an a Java issue that could allow for the opening of arbitrary ports on a user's system. Those issues only affected Firefox and SeaMonkey,

Other than that, a moderately rated fix was issued for an HTTP referrer spoofing risk, and a low-priority fix for a privacy issue with SSL client authentication.

Add a Comment (20 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By sumone

posted Mar 27, 2008 - 6:15 AM

Any reason why partial update fails and I've to download a full update? It's been happening since the last 3-4 FF updates on my comp.

Score: 0

By PC_Tool

posted Mar 27, 2008 - 9:34 AM

I had that happen on two seperate PCs.

Seems to be that the Firefox process isn't entirely killing itself.

Best bet is to simply do a clean boot after the first failure (if caught in a loop, kill the two processes in task manager).

Once booted, restart the browser. It should update fine.

Score: 0

By davidlerner

posted Mar 26, 2008 - 5:12 PM

And here I was thinking that FireFox was safe...
(there always seems to be another bug)
:P

--
www.TalkPrice.net

Score: 0

By mdotwills

posted Mar 26, 2008 - 7:39 PM

bad troll!

It always has been safer, and it's safe to say it will always be. Take your talkprice.net rubbish somewhere else!

Score: 0

By cricri_pingouin

posted Mar 27, 2008 - 5:26 AM

"It always has been safer, and it's safe to say it will always be."

Wow, that's what I call a solid argument supported by concrete evidence. Statistically, I notice that people who call others "trolls" mostly are trying to discredit someone while lacking arguments to do so (i.e. argumentum ad hominem).
It is true that IE has (and had) a lot of security issues, but it is also true that this is the case for Firefox.
So why do I use Firefox? Well, not because I'm a systematic MS basher like some others, but because I use what's best for me, no matter who did it. Firefox happens to better match my user interaction requirements, and it owes a lot to its extensive library of extensions.
I don't say that IE is more secure than Firefox, but I won't believe the opposite either until an impartial thorough study appears.
And so what, of course there will always be security issues while a software is maturing and features are added. But honestly, how many times did you get hacked? Me, never, and I've been using IE and "Gecko based" (I know the Firefox team would shoot me for calling their family of browsers like that) for like, maybe 12 years, and never suffered from any of these security issues (critical or not) anyway.

Score: 0

By Hellcat_M

edited Mar 26, 2008 - 3:05 PM

I went back to try maxthon 2 and one thing it does I like. When the memory usage gets a little high you can minimize it to the system tray and the memory usage goes from like 200,000 to 65,000, then when you bring it back up it'll stay down to about 150,000. I like that, I've tried trayit and it with Firefox and it dosn't lower the ram much when you send FF to the system tray. I like FF needs to impliment this, its a nice feature to reset ram.

I actually just tried this with FF3 and my memory usage before minimizing was 153,000 and it jumped to 160,000 after minimizing and bringing it back up, then it went back down to 153,000. If their going to implement reduced memory usage on mimimize in FF3, their not doing a good job of it so far.

Score: 0

By PC_Tool

posted Mar 26, 2008 - 2:06 PM

Version 3.

Score: 0

By Hellcat_M

posted Mar 26, 2008 - 2:23 PM

If Version 3 does that, thats great. Its an important feature and it works well with maxthon. I have V3 installed but I can't use a couple of my addons (tabs plus and google browser sync), so I haven't done extensive testing on it yet.

Score: 0

By improvelence

posted Mar 27, 2008 - 11:18 AM

Yea the lack of a compatible google browser sync plugin does suck. I utilize the hell out of it and you can encrypt your info which is nice. Looks like I might have to use something else for the time being. I figured google would resolve this by now.

Score: 0

By PC_Tool

posted Mar 26, 2008 - 2:58 PM

Tab plus has a dev version that works on 3. Check their forums.

Never heard of google browser sync...

Score: 0

By Hellcat_M

posted Mar 27, 2008 - 1:08 AM

Thanks PC, I downloaded the dev version and it works well.

Google browser sync saves your Firefox setting and bookmarks to the Google server. I like it because I can go to work or over a friends house and just login to my google sync at their place and get all my bookmarks. I'm testing some other programs that do similar things, but none of them work with FF 3 yet.

Score: 0

By Lil Alien

posted Mar 26, 2008 - 12:53 PM

...and still, the memory holes remain.

Has anyone else noticed that if you have a browser window open a few hours, open a couple of NEW windows, close them, open a couple of tabs, close them, etc. throughout the day the memory use climbs and climbs and you never recover ram until you restart Firefox from scratch. I have 4 gig of RAM on a core2quad.. It'll climb to like 150 megs, 250 megs, 500 megs, 900 megs. Do a ctrl-alt-del more often and watch it hog it.. Been going on for well over a year on any new systems I build... Hmm.

Score: 0

By God Dammit

posted Mar 26, 2008 - 2:06 PM

I use Windows Vista SP 1. I haven't thoroughly monitored previous versions of Firefox, but the new version 2.0.0.13 has no memory leaks like the ones you describe. With two tabs open the memory usage was about 32MB in Task Manager. When I opened two additional tabs (total of four) the memory usage jumped to about 60MB. I then closed two of the four tabs and the memory usage dropped to 45MB. After I clicked the Tools menu and clicked Clear Private Data the memory usage dropped back to 32MB. After this I tried opening up a total of four tabs and two new windows. The memory usage was at 56MB in Task Manager. I closed the new windows and two of the four tabs. Then I cleared the cache again. Memory usage dropped to 32MB.

Whatever memory leaks you describe don't exist in Firefox 2.0.0.13.

Score: 0

By Lil Alien

posted Mar 26, 2008 - 11:28 PM

I use Windows Vista (Ultimate) SP1 as well. Have you done this all day? Two days? Firefox is the only one that continuously suffers this problem out of every program I own and use daily.

If I close Firefox completely, it starts fresh. It can't be reproduced in just a few minutes it takes hours/1-2 days to view true effects.

Score: 0

By redflameout

edited Mar 27, 2008 - 4:29 PM

I see the memory leak with 2.0.0.13 also. It gets worse with add-ons installed and I am starting to suspect google sync or google toolbar as being part of the problem as the amount of memory climg shown in Windows Task Manager is far less with either or both removed.

Windows XP Sp2 and Windows Vista Ultimate SP1

Score: 0

By PC_Tool

posted Mar 26, 2008 - 1:22 PM

Session Management (TMP) and a restart every once in a while takes care of it nicely though.

Still sucks, but it's better than the alternatives, IMO...

restart, restore previous session (All 18 tabs), and yer good to go. :p

Score: 0

By mjm01010101

posted Mar 26, 2008 - 1:12 PM

3 will address.

Score: 0

By dejavu

posted Mar 26, 2008 - 12:27 PM

Old Firefox problem: "memory corruption issues"! But remains my default browser!

Score: 0

By preinterpost

posted Mar 26, 2008 - 1:39 PM

It will be my alternative/fringe case browser until they manage to fix this once and for all.

Score: 0

By mjm01010101

posted Mar 26, 2008 - 11:31 AM

Just like the previous 12 updates, according to the update history.

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal