Mozilla Corp. today released updated versions of the Firefox browser, v1.5.0.10 and v2.0.0.2, for Windows, Mac, and Linux, in an effort to close a major security flaw called the "location.hostname vulnerability." The fix blocks hackers from being able to tamper with how websites are displayed.
"We strongly recommend that all Firefox users upgrade to this latest release," said Mike Schroepfer, Mozilla's vice president of engineering.
"This update resolves the location.hostname vulnerability, and other security and stability issues. Thanks to the work of our contributors, we have been able to address these issues quickly in order to minimize the security risk to Firefox users."
The location.hostname issue allowed malicious website operators to manipulate authentication cookies for third-party sites, changing how sites looked or worked.
The updates are available immediately in 37 languages, including French, German, Spanish, Italian and Japanese.
Key security changes in the new versions, according to Schroepfer, are:
* Improvements to help protect against cross-site scripting attacks
* Embedded nulls in location.hostname confuse same-domain checks
* Mozilla Network Security Services (NSS) SSLv2 buffer overflow
* XSS and local file access by opening blocked popups
* Spoofing using custom cursor and CSS3 hotspot
* Information disclosure through cache collisions
Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007; however, all users are encouraged to upgrade to Firefox 2, Schroepfer said.
User who already have Firefox 1.5.0.x or Firefox 2.0.0.x will receive an automated update notification within 24 to 48 hours, Schroepfer said. This update can also be applied manually by selecting "Check for Updates..." from the Help menu starting later today, Schroepfer said.
The new Firefox v2.0.0.2 update can be obtained here. Firefox v1.5.0.10 is available for download, here.
|
