Firefox 2.0.0.10 fixes jar: and other vulnerabilities
November 27th, 2007
Mozilla has released Firefox 2.0.0.10, an update that fixes three security vulnerabilties rated as high.
The first of the bugs may allow a cross-site scripting (XSS) attack due to an error in handling JavaScript initiated window contents changes (window.location). Another one, fixes the well publicized jar: protocol flaw that could also allow cross site scripting attacks. Mozilla has tightened the conditions for loading jar: protocol URIs:
Support for the jar: URI scheme has been restricted to files served with a Content-Type header of application/java-archive or application/x-jar. Web applications that require signed pages must make sure their .jar archives are served with this Content-Type. Sites that allow users to upload binary files should make sure they do not allow these files to have one of these two MIME types.
There’s not much detail about the third one except it involves memory corruption.
Naturally, users are strongly encouraged to update: select Check for Updates… in the Help menu, or wait for Firefox to automatically prompt you to install the update in the next 48 hours.
Via Mozillalinks.org
2 Comments
1. Steve H | November 28th, 2007 at 22:50
And it’s broken all my extensions :( – even after purging FF from my system and deleting everything I could find called firefox, thus creating a completely clean installation – no extensions work.
How miffed am I ?!?
2. admin | November 29th, 2007 at 10:36
Steve H, the problem is not in the update. I also updated my FF and all my extensions are working fine.
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed