Firefox 3.5.2 and 3.0.13 security updates
Firefox 3.5.2 and Firefox 3.0.13 are now available for Windows, Mac, and Linux as free downloads:
Details on the Firefox 3.5.2 fixes are available below.
Chrome privilege escalation due to incorrectly cached wrapper
Mozilla add-on developer and community member Wladimir Palant reported broken functionality on pages that had a Link: HTTP header when an add-on was installed which implemented a Content Policy in JavaScript, such as AdBlock Plus or NoScript. Mozilla security researcher moz_bug_r_a4 demonstrated that the broken functionality was due to the window’s global object receiving an incorrect security wrapper and that this issue could be used to execute arbitrary JavaScript with chrome privileges.
Crashes with evidence of memory corruption
Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
Location bar and SSL indicator spoofing via window.open() on invalid URL
Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open() on an invalid URL which looks similar to a legitimate URL and then use document.write() to place content within the new document, appearing to have come from the spoofed location. Additionally, if the spoofed document was created by a document with a valid SSL certificate, the SSL indicators would be carried over into the spoofed document. An attacker could use these issues to display misleading location and SSL information for a malicious web page.
Heap overflow in certificate regexp parsing
Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibility with the non-standard regular expression syntax historically supported by Netscape clients and servers. With version 3.5 Firefox switched to the more limited industry-standard wildcard syntax instead and is not vulnerable to this flaw.
Compromise of SSL-protected communication
Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions.
This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates.
Data corruption with SOCKS5 reply containing DNS name longer than 15 characters
Andrej Andolsek reported that when Firefox receives a reply from a SOCKS5 proxy which contains a DNS name longer than 15 characters, the subsequent data stream in the response can become corrupted. There was no evidence of memory corruption, however, and the severity of the issue was determined to be low.
Mozilla strongly recommend that all Firefox users upgrade to this latest release. If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates” from the Help menu.