Cenzic 232 Patent
Paid Advertising
web application security lab

Firefox 1.5.0.4 released

Firefox just released it’s latest version, 1.5.0.4, which aims to fix a number of issues including a few with XSS relevance:

  1. MFSA 2006-43 Privilege escalation using addSelectionListener
  2. MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
  3. MFSA 2006-41 File stealing by changing input type (variant)
  4. MFSA 2006-39 “View Image” local resource linking (Windows)
  5. MFSA 2006-38 Buffer overflow in crypto.signText()
  6. MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
  7. MFSA 2006-36 PLUGINSPAGE privileged JavaScript execution 2
  8. MFSA 2006-35 Privilege escalation through XUL persist
  9. MFSA 2006-34 XSS viewing javascript: frames or images from context menu
  10. MFSA 2006-33 HTTP response smuggling
  11. MFSA 2006-32 Fixes for crashes with potential memory corruption
  12. MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)

The BOM in UTF-8 is fairly interesting, and I’m kicking myself for not finding it first, but since it is such a high order character I never got around to it with my fuzzer. Alas! Well congrats to Masatoshi Kimura for finding it first.

One Response to “Firefox 1.5.0.4 released”

  1. An Awesome Guy Says:

    To squeeze out more firefox performance try this Community Edition build:

    http://forums.mozillazine.org/viewtopic.php?t=353091

    (kick yourself less)