Mozilla has shipped a "highly critical" Firefox update to correct multiple security bugs that could cause cross-site scripting, information disclosure, denial-of-service and system access attacks.

The update is the first for Firefox 2.0 and also applies to Firefox 1.5. Five of the eight bugs fixed in the update are rated "critical" by Mozilla.

The Firefox patch, which is distributed automatically to users, corrects the following issues:

Various errors in the layout engine and JavaScript engine that can be exploited to cause memory corruption and some [of which] may potentially allow execution of arbitrary code.

An error when reducing the CPU's floating point precision, which may happen on Windows when loading a plug-in creating a Direct3D device. This may lead to memory corruption.

A boundary error when setting the cursor to a Windows bitmap using the CSS cursor property. This can be exploited to cause a heap-based buffer overflow.

An unspecified error in the "watch()" JavaScript function can be exploited to execute arbitrary code.

An error in LiveConnect causes an already freed object to be used and may potentially allow execution of arbitrary code.

An error in the handling of the "src" attribute of IMG elements loaded in a frame can be exploited to change the attribute to a "javascript:" URI. This allows execution of arbitrary HTML and script code in a user's browser session.

A memory corruption error within the SVG processing may allow execution of arbitrary code by appending an SVG comment DOM node from one document into another type of document (e.g. HTML).

The "Feed Preview" feature of Firefox 2.0 may leak feed-browsing habits to Web sites when retrieving the icons of installed Web-based feed viewers.

A Function prototype regression in Firefox 2.0 can be exploited to execute arbitrary HTML and script code in a user's browser session.

An eagle-eyed Sean Michael Kerner points out that the Firefox update missed a password manager bug that was reported more than a month ago, but it appears that the Mozilla folks don't consider that a high-risk issue.

Here's Reed Loden discussing the password manager issue on the Funsec mailing list:

I, personally, do not consider that a critical vulnerability. The problem is really with the third-party sites (such as MySpace) that allow users to post login forms on their site. If the sites didn't allow users to post content like that, it wouldn't be a problem. MySpace has since fixed this problem, so it's not an issue there. Also, it's not like somebody can get the password for another website than the one you are currently viewing.

A better "fix" (for some definition of "fix" for a problem that's really not Firefox's fault) for this issue will come in a later Firefox release, but for now, Firefox allows people to disable the password manager's autofill function if they feel that they are really unsecure due to this issue.

Honestly, if you trust the sites you are going to, you shouldn't have a problem. I'm not worried about it.


Apple Computer was also busy on the patching front, shipping a fix for an obscure QuickTime for Java flaw that could cause lead to the disclosure of sensitive information.

The problem is that unsigned Java applets are able to use QuickTime for Java and Quartz Composer to upload images which may potentially contain sensitive information. The vulnerability affects Mac OS X v10.4.8 and Mac OS X Server v10.4.8 and is fixed with the Apply Security Update 2006-008.

This patch is not related to the QuickTime feature that was being manipulated in the MySpace phishing attacks earlier this month.