Firefox 2.0.0.10 fixes jar: and other vulnerabilities

Mozilla has released Firefox 2.0.0.10, an update that fixes three security vulnerabilties rated as high.

The first of the bugs may allow a cross-site scripting (XSS) attack due to an error in handling JavaScript initiated window contents changes (window.location). Another one, fixes the well publicized jar: protocol flaw that could also allow cross site scripting attacks. Mozilla has tightened the conditions for loading jar: protocol URIs:

Support for the jar: URI scheme has been restricted to files served with a Content-Type header of application/java-archive or application/x-jar. Web applications that require signed pages must make sure their .jar archives are served with this Content-Type. Sites that allow users to upload binary files should make sure they do not allow these files to have one of these two MIME types.

There’s not much detail about the third one except it involves memory corruption.

Naturally, users are strongly encouraged to update: select Check for Updates… in the Help menu, or wait for Firefox to automatically prompt you to install the update in the next 48 hours.