Tech Tips Home
The Best Tech Tips And Daily Deals
Newsletter On The Internet!

WorldStart Tech Tip And Store Search
Email: Password: Login Remember Me
looking for freeware

Like what you see here? Subscribe to the Tech Tips newsletter!   Email: Subscribe

Mozilla Firefox Vulnerabilities

Friday, December 29th, 2006 by | Filed Under: Security Help

Mozilla Firefox Vulnerabilities

Today’s security topic was easy to miss over the busy weekend, so I decided to shed some light on things here, the Tuesday after the big holiday break.

The Mozilla foundation surely has been having a wonderful holiday. I expect that with 10 new vulnerabilities, they could be having nothing else. These new risks affect not only their popular Internet browser, Firefox, but also Thunderbird (the POP3 e-mail client) and SeaMonkey (an all-in-one Internet suite).

I have created a quick list of the vulnerabilities to help you all get an understanding of what these potential security holes are and how they can be exploited. Some of the exploits take advantage of JavaScript and its associated services, whereas, others take advantage of cross-site scripting, injected script and heap buffer overflows, just to quickly describe a few. Take a look for yourself. You can link out to Mozilla’s Web site for more information on any of the following:

XSS Using Outer Window’s Function Object This is an exploit that could possibly be used to steal a user’s credentials, utilizing cross-site scripting.
RSS Feed Preview Referrer Leak The new “Feed Preview” feature in Firefox 2.0 can potentially allow informed Web based feeds of your surfing habits. (Does not affect Firefox 2.0).
Mozilla SVG Processing Remote Code Execution Specially created documents can cause a crash due to memory corruption that can then be exploited to run arbitrary code.
XSS By Setting img.src to Javascript: URI Specially crafted images loaded into frames can potentially bypass the cross-site scripting measures, allowing an injected script to steal sensitive information.
LiveConnect Crash Finalizing JS Objects LiveConnect allows the Java Applets and JavaScript communication. It can potentially be exploited by its reuse of already freed objects.
Privilege Escallation Using Watch Point The JavaScript watch can be exploited to gain elevated privileges, which could be used to install malware on the user’s system
CSS Cursor Image Buffer Overflow A miscalculated size during conversion of curser size can cause a heap buffer overflow, which then can be used to compromise the victim’s PC.
Crashes With Evidence of Memory Corruption Showed evidence of memory corruption, which could possibly be used to run arbitrary code on a user’s computer.

A good majority of these vulnerabilities are taken care of in the latest version of Firefox, but there are a few that you need to secure yourself against. For example, there are a few of these exploits that take advantage of JavaScript services in Thunderbird. The feature to use Java in e-mails is disabled by default, but some of you may have enabled it for one reason or another. This service should be immediately disabled or else you leave your system open to attacks.

Other than that, make sure that all your Mozilla programs are updated and you should be fine. If you are unsure if all your Mozilla software is up to date, you can always use the Secuna Software Inspector to check your software versions. It comes complete with links and recommendations.

The Secuna Software Inspector is a great online service that scans your system and creates a list of not only the operating system patch version, but other installed software versions as well. In other words, you can go out to Secuna’s Web site and go through each scan process to find out if any of your software needs to be updated and where you can go to do so.

That is a great service. I would even recommend putting this little fellow in your bookmarks and run it as part of your regular security maintenance.

So, go out to Secuna, run the Software Inspector, carefully look through the results of the scan, see what you need updated and follow the links the service provides to perform the necessary updates.

Until next week, stay safe out there!

~ Chad Stelnicki

Leave a Reply

Like these tips? Get them for FREE in your email!

WorldStart's Tech Tips Newsletter

  • Tech Tips Daily - Become a tech pro! Get the very best tech and computer help sent directly to your email every weekday!

  • Tech Tips Weekly - If you don't want our Tech Tips newsletter every day, then sign up for this weekly newsletter to get the best information of the week. Sent on Fridays.

Other Newsletters

  • WorldStart's Daily Deals - Every week, we send out great deals in our Daily Deals newsletter. Many of these deals are exclusively for our Daily Deals newsletter subscribers and can't be found with our regular specials.

  • Just For Grins - Each issue includes a couple clean jokes, some funny quotes, and a hilarious reader's story. Newsletter is sent five days a week.

Enter Email Address:


Your e-mail address is safe with us!
We only use it to send you the newsletters you request. It is NEVER disclosed to a third party for any reason, ever! Plus, if you decided you don't like our newsletters (don't worry, you'll love them), unsubscribing is fast and easy.

Free Newsletter Signup

Tech Tips Daily

Become a tech pro! Get the very best tech and computer help sent directly to your email every weekday!

Tech Tips Weekly

The week's best in tech and computer help. Get your issue sent to your email every Friday!

WorldStart's Daily Deals

The very best deals on the Internet! Get a new set of incredible sales every day of the week!

Just For Grins

Clean jokes, funny quotes, and hilarious comics. Sent 5 times a week straight to your email.


Love Worldstart? Refer A Friend!

looking for freeware
WorldStart's Premium Membership

Tip Archive