這是一個已知的高危漏洞,有洩漏系統資訊以及遠端操控的疑慮!
建議所有的Firefox 3.0.X的用戶立即更新!
Description:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious, local users to potentially disclose sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, disclose sensitive information, or potentially to compromise a user's system.
1) Multiple errors in the layout engine can be exploited to cause memory corruptions and potentially execute arbitrary code.
2) Multiple errors in the Javascript engine can be exploited to cause memory corruptions and potentially execute arbitrary code.
3) A chrome XBL method can be used in combination with "window.eval" to execute arbitrary Javascript code in the context of another web site
4) An error when restoring a closed tab can be exploited to modify an input control's text value, which allows e.g. to disclose the content of a local file when a user re-opens a tab.
5) An error in the processing of shortcut files can be exploited to execute arbitrary script code with chrome privileges e.g. via an HTML file that loads a privileged chrome document via a .desktop shortcut file.
這個漏洞影響所有的Firefox 3.0.X,當使用者瀏覽了一個被有心人士修改的腳本時
可能會因此洩漏系統上的的重要訊息,並且有遠端操作的疑慮!
此漏洞已經在昨天修正完畢,中文版的Firefox 3用戶此時已經可以透過自動更新至新版本!
另外這版修正的crash bug很多
回覆刪除