Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Firefox 9 Security Fixes SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Firefox 9 Security Fixes

We had a "one liner" about the Firefox 9 update already. But I wanted to take a couple more lines to highlight some of the flaws fixed in Firefox 9, which I think belong in the "we told you so" category. By "we" I am not referring to the ISC, but to the large number of articles talking about HTML 5 security.

One problem that was pointed out by various people is the fact that the addition of the <video> and <audio> tags requires the inclusion of respective file format parsers in the browser. These parsers have been known in the past to be the source of various security issues. Some of the Firefox 9 fixes illustrate this problem:

MFSA 2011-58: Crash scaling <video> to extreme sizes (effects OGG formated videos)

MFSA 2011-56: nsSVGValue out-of-bounds access

These two vulnerabilities are rated as critical by Mozilla.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3694 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!