News

Firefox 3.0.8 Released, Critical Security Bugs Fixed

Mozilla rolled out security updates for Firefox after the Web browser was hacked during a contest two weeks ago at a software security convention in Vancouver.

The updates address two separate vulnerabilities in Mozilla Firefox browser versions 3.0.x. Users can get them through "Check For Updates" in the Help menu of the browser, according to the Mozilla Links blog. However, users can also download the latest version of the browser, Firefox 3.0.8, which addresses those vulnerabilities and arrives one week early.

One of the vulnerabilities patched was a proof-of-concept memory corruption bug associated with XSL parsing. This so-called crashing bug was discovered last week by an Italian hacker.

The second vulnerability that Mozilla patched was found by a hacker calling himself Nils. He won $15,000 at the CanSecWest Pwn2Own competition by hacking into three fully patched browsers. Nils first hacked into Internet Explorer 8, finding DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) bugs that Microsoft since has said are fixed. He also took down Apple's Safari browser, according to this account.

Nils is a 25-year-old computer science student from Germany who would only give his first name during the event. He explained why he was able to hack the Firefox browser, indicating that the "XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use."

This bug caused Firefox to crash. It can allow an attacker the ability to run code on a victim's computer if the user is lured to a Web site laden with ready-to-deploy exploits.

In issuing the updates, Mozilla rated both vulnerabilities as "critical," Mozilla's highest severity rating. Mozilla also indicated that both bugs can also be addressed by disabling JavaScript in the Firefox browser.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Most   Popular

Subscribe on YouTube