Mozilla Issues Seven Security Advisories to Mitigate Vulnerabilities
by iClass - Monday, May 02, 2011
Recently, Mozilla announced seven security advisories to address multiple vulnerabilities, which could allow arbitrary code execution, information disclosure, privilege escalation and directory traversal. The security updates also address dangling pointer vulnerabilities and security issues in recently introduced WebGL feature.
One of the security advisories addresses multiple memory safety and crash issues, which could cause memory corruption. The vulnerabilities have been rated as critical as they could be exploited to run arbitrary code. The security update resolves these issues in Firefox 4, 3.6, 3.5, Thunderbird 3.1 and SeaMonkey 2.
Mozilla has resolved critical potential buffer overflow, and overwrite issues associated with WebGL feature introduced in Firefox 4. Security researchers also identified that WebGLES libraries were compiled without Address Space Layout Randomization (ASLR) protection. A memory corruption flaw could also allow attackers to use WebGLES libraries to bypass ASLR on Windows 7 and Vista.
Another advisory fixes critical dangling pointer vulnerabilities identified by researchers affiliated to TippingPoint. The security issues affect Firefox 3.6, 3.5 and SeaMonkey 2. Dangling pointers do not direct to a valid object and are caused by deletion of an object, without altering the related pointers. Dangling pointer vulnerabilities may cause memory safety issues.
The security team at Mozilla also addresses a critical privilege escalation vulnerability associated with Java Embedding Plugin (JEP). The flaw could be exploited by attackers to attain higher privileges to resources on a computer system. JEP is shipped with the Mac OS X versions of Firefox. Another advisory mitigates an information disclosure vulnerability identified by security researcher Paul Stone. The security flaw rated moderate, could allow attackers to use steal entries from form history by using a Java applet to imitate interaction with form AutoComplete controls. Both the above vulnerabilities affect Firefox 3.6, 3.5 and SeaMonkey 2.
Mozilla has also resolved a directory traversal issue in resource: protocol identified by security researcher Soroush Dalili. The security flaw rated moderate, allows attackers to cause directory traversal on Windows and allow loading of resources from non-permitted locations. Directory traversal may be caused by improper validation of user input. The security update also resolves an issue in XSLT generate-id() function, which causes heap address leak. The update applies to Firefox 4, 3.6, 3.5 and SeaMonkey 2.
Cyber security awareness among Internet users is crucial to deal with vibrant threats. Internet users may benefit from online degree courses on cyber security, alerts on security blogs, advisories released by vendors, and safe usage guidelines by computer emergency response teams. Internet users must adhere to the security updates issued by vendors of web browsers to prevent exploitation of vulnerabilities. They must use latest updated browsers.
Browsers offer increased functionality to improve user experience. However, users must configure their browsers to ensure that additional functionalities do not compromise security. They can enhance the security settings, while performing banking and online transactions. They may also disable ActiveX controls and plug-ins, adjust the privacy settings, and adjust cookie settings to allow, allow for session or deny for improving security. They may also adjust AutoComplete or AutoFill settings accordingly.
Hiring professionals qualified in computer science degree may help organizations in timely identification and application of requisite patches. Users may choose between different web browsers in accordance with use, functionality and security features. They must avoid unsafe practices, such as clicking on arbitrary links, and downloading attachments arriving from unknown sources. They must install and update anti-virus software. Working with user privileges, rather than administrative privileges may reduce chances of execution of malicious code.
IT professionals may benefit from online university degree courses to update themselves on latest developments in cyber security, various threat vectors, security measures and precautions.
EC-Council University is based in Albuquerque, New Mexico and offers Master of Security Science (MSS) degree to students from various backgrounds such as graduates, IT Professionals, and military students amongst several others. The MSS is offered as a 100% online degree program and allows EC-Council University to reach students from not only the United States, but from all around the world.
EC-Council is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.
EC-Council has trained over 80,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates the global series of Hacker Halted security conferences.
Read More Press Releases
‘Hiranandani Business Park, Thane conceptualizes a work culture that goes beyond just businesses’: Niranjan Hiranandani
Mumbai's Development Plan scrapped; hope the new plan will take a holistic view, Niranjan Hiranandani
Get press releases by email