Headline Feeds
The Mozilla Foundation patches seven security flaws with version 1.5.0.7 of its Firefox browser. Four of them, rated "critical," would allow attackers to install software on vulnerable computers.
The critical problems include a JavaScript error that could permit remote execution of code and a vulnerability that could permit RSA signature forging.
RSA certificates are used to authenticate secure Web sites and digitally signed e-mail messages.
"Critical" is the highest level on Mozilla's security scale. All Firefox users are urged to install the new version immediately.
Misplaced Trust
Among the non-critical flaws, there are two that relate to "sub-frames."
In one case, an attacker could use the pop-up blocker status bar to trick a user into believing that a blocked pop-up window came from a trusted site.
In another instance, a non-critical vulnerability could allow a user to be directed to a trusted site in a new window, where an attacker could use a sub-frame to steal entered data -- placing passwords or credit card information, for example, at risk.
Thunderbird Impacted Too
Firefox will download the latest update automatically by default. It is also available via the browser's auto-update feature or downloaded directly from the Firefox Web site.
Users of the Thunderbird e-mail application also are advised to install the Firefox update, since the two applications run on the same engine.
