Mozilla on Tuesday patched three security holes in its Firefox web browser and SeaMonkey cross-platform suite.Firefox version 220.127.116.11 fixes three “high impact” flaws, including a URI (uniform resource identifier) scheme bug in the browser that can be exploited to perform cross-site scripting (XSS) attacks, Mozilla disclosed Tuesday in an advisory.
The flaw, disclosed by researchers Jesse Ruderman and Petko Petkov, occurs when a URI scheme is “introduced as a mechanism to support digitally signed webpages,” which enables users to install pages on other websites, and could lead to XSS attacks.
Petkov confirmed today that disclosed the issue earlier this month, warning administrators in a blog post that sanitizing all files at risk could be a difficult task.
“The best way to protect against the upcoming jar: protocol attacks is to very carefully sanitize the types of files you allow your users to upload or share,” he said. “Unfortunately, sometimes this is impossible, especially when it comes to formats such as ODT and DOC.”
A published proof-of-concept attack demonstrated how a cyberattacker could steal a user's Gmail contact list by exploiting the flaw.
Mozilla also patched a referrer-spoofing bug in the window.location race condition.
The timing condition vulnerability, disclosed by researcher Gregory Fleischer, can be exploited to conduct a cross-site request forgery attack against websites that sign users off after an elapsed period of time.
Amol Sarwate, director of the vulnerability research lab at Qualys, told SCMagazineUS.com today that the referrer-spoofing flaw can be exploited to hijack a user's online banking session.
“The session, as well as the cookies, can be used by the attacker to, for example, transfer money out of his account because the session, as well as the cookies, are correct while the user is timed in,” he said.
Mountain View, California-based Mozilla also released a cumulative fix for three bugs that “showed some evidence of memory corruption under certain circumstances” and that could be exploited to run arbitrary code.
Mozilla last month patched eight flaws in Firefox and SeaMonkey, including two “critical” flaws. Last week, Mozilla released Firefox 3 Beta 1, which the organization said improved website-identification and anti-virus integration features.
A Mozilla representative could not be immediately reached for comment.