Firefox 3.0.4及2.0.0.18发布

admin

Firefox 为3系列浏览器推出3.0.4版本,而以前的2系列则推出了2.0.0.18版本,此次更新主要是修复了大量漏洞,功能方面没有太大改进,建议使用firefox的各位网友升级到新版本firefox.

修复漏洞一览:
MFSA 2008-55: Critical
A crash and remote code execution is possible in nsFrameManager. This vulnerability can be exploited by modifying certain properties of a file input element before it has finished initializing. Details can be found in CVE-2008-5021
MFSA 2008-54: Critical
There's a buffer overflow in http-index-format parser as a result of the way Mozilla parses the http-index-format MIME type. Mozilla says by sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim's computer. Details can be found in CVE-2008-0017.

MFSA 2008-53: Critical
Mozilla says the browser's session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Details can be found in CVE-2008-5019.

MFSA 2008-52: Critical
Mozilla developers identified and fixed several stability bugs which may cause crashes in the browser engine used in Firefox and other Mozilla-based products. Details can be found in CVE-2008-5016 and CVE-2008-5017

MFSA 2008-50: Critical
Mozilla says by tampering with the window.__proto__.__proto__ object, a remote attacker can cause the browser to place a lock on a non-native object, leading to a crash and possible execution of arbitrary code. Details can be found in CVE-2008-5014

MFSA 2008-49: Critical
Mozilla says a SWF file which dynamically unloads itself from an outside JavaScript function can cause the browser to access a memory address no longer mapped to the Flash module, resulting in a crash. This crash could be used by an attacker to run arbitrary code on a victim's computer. Details can be found in CVE-2008-5013.

MFSA 2008-48: High
Mozilla says the canvas element in Firefox could be used in conjunction with an HTTP redirect to bypass same-origin restrictions and gain access to the content in arbitrary images from other domains. This vulnerability could be used by an attacker to steal private information from a victim who is logged into a website that stores the data in images. Details can be found in CVE-2008-5012

MFSA 2008-57: High
Mozilla says the -moz-binding CSS property can be used to bypass security checks which validate codebase principals. Details can be found in CVE-2008-5023.

MFSA 2008-56: High
Mozilla says the same-origin check in nsXMLHttpRequest::NotifyEventListeners() can be bypassed. This vulnerability could be used to execute JavaScript in the context of a different Web site. Details can be found in CVE-2008-5022.

MFSA 2008-51: Moderate
Mozilla says URIs are given chrome privileges when opened in the same tab as a chrome page or privileged about: page. This vulnerability could be used by an attacker to run arbitrary JavaScript with chrome privileges. Details can be found in CVE-2008-5015.

MFSA 2008-47: Moderate
Mozilla says locally saved .url shortcut files could be used to read information stored in the local cache. Details can be found in CVE-2008-4582.

MFSA 2008-58: Low
There's a parsing error in E4X default namespace. The error was caused by quote characters in the namespace not being properly escaped. Details can be found in CVE-2008-5024.