Firefox 2.0.0.10 fixes jar: and other vulnerabilities

Published: November 27th, 2007

Mozilla has released Firefox 2.0.0.10, an update that fixes three security vulnerabilties rated as high.

The first of the bugs may allow a cross-site scripting (XSS) attack due to an error in handling JavaScript initiated window contents changes (window.location). Another one, fixes the well publicized jar: protocol flaw that could also allow cross site scripting attacks. Mozilla has tightened the conditions for loading jar: protocol URIs:

Support for the jar: URI scheme has been restricted to files served with a Content-Type header of application/java-archive or application/x-jar. Web applications that require signed pages must make sure their .jar archives are served with this Content-Type. Sites that allow users to upload binary files should make sure they do not allow these files to have one of these two MIME types.

There’s not much detail about the third one except it involves memory corruption.

Naturally, users are strongly encouraged to update: select Check for Updates… in the Help menu, or wait for Firefox to automatically prompt you to install the update in the next 48 hours.

You can leave a response, or trackback from your own site.

2 Comments on “Firefox 2.0.0.10 fixes jar: and other vulnerabilities”

Subscribe to this post's RSS feed

1. Milind
November 29th, 2007 at 11:13 pm
“download” is not linked in:

http://mozillalinks.org/wp/2007/11/firefox-20010-fixes-jar-and-other-vulnerabilities/

but that’s not going to stop me from getting this latest release. update has happend to my office computer, new release for home standalone.

thank you.

with best regards,
-milind

[Reply]
2. James Joseph
April 25th, 2008 at 10:53 am
Where can I download the latest patches?

[Reply]