December 4, 2016

Mozilla Releases Firefox 10 and Firefox 3.6.26 to Address Multiple Vulnerabilities

(LiveHacking.Com) – The Mozilla Foundation has released Firefox 10 and Firefox 3.6.26 to address multiple security vulnerabilities. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or perform a cross-site scripting attack.

Firefox 10 fixes 8 security issues of which 5 are rated as “Critical”. A “Critical” vulnerability can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing. These include fixes for a possible memory corruption during the decoding of Ogg Vorbis files that could cause a crash during decoding and has the potential for remote code execution. There are also several memory safety bugs in the browser engine. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The full list of fixes is:

  • MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe permission
  • MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
  • MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
  • MFSA 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure
  • MFSA 2012-05 Frame scripts calling into untrusted objects bypass security checks
  • MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
  • MFSA 2012-03 <iframe> element exposed across domains via name attribute
  • MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

New features in Firefox 10 include:

  • The forward button is now hidden until you navigate back
  • Most add-ons are now compatible with new versions of Firefox by default
  • Anti-Aliasing for WebGL is now implemented (see bug 615976)
  • CSS3 3D-Transforms are now supported (see bug 505115)
  • New <bdi> element for bi-directional text isolation, along with supporting CSS properties (see bugs 613149 and 662288)
  • Full Screen APIs allow you to build a web application that runs full screen (see the feature page)

The fixes for 3.6.26 are backports of fixes applied to Firefox 10 including:

  • MFSA 2012-08 Crash with malformed embedded XSLT stylesheets
  • MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
  • MFSA 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
  • MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/ rv:1.9.2.26)

The only unique fix to the 3.6 series is MFSA 2012-02 Overly permissive IPv6 literal syntax. This was fixed previously for Firefox 7.0 but only fixed in Firefox 3.6.26 now.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks