Mozilla releases second round of Firefox 3.5 bug fixes
Perhaps the Mozilla organization's most valuable contributor to its Web browser's integrity is the tester who goes by the handle moz_bug_r_a4. On multiple occasions now, this developer has located and privately reported to Mozilla extremely serious issues, including a potential page hijacking exploit last December.
Late yesterday, Mozilla credited moz_bug_r_a4 with another coup: the discovery of an improper handoff in Firefox 3.5 between Content Policy-based plug-ins such as AdBlock Plus and the object that represents the browser window. That could trigger a situation where the browser could execute JavaScript code with Chrome privilege -- meaning, with the same unrestrictive policy given to code that's allowed to change the complexion or even the appearance of the browser.
Before this potential exploit could be discovered and used by others, this Mozilla tester enabled the organization to release a bug fix as version 3.5.2, beginning last night. Tweaks to the new TraceMonkey JavaScript engine originally planned for 3.5.1, still do not appear to be featured in this latest release on the 3.5 track.
The privilege escalation bug was one of six on Mozilla's docket for this round, with four issues (including this one) being treated as Critical. Three issues were shared with the older Firefox 3.0 track, including one potential heap overflow exploit involving a maliciously crafted certificate that leaves the browser in a state where binary code could be executed without privilege. This led to Mozilla's release of Firefox version 3.0.13 earlier Monday.