Google Chrome, Mozilla Firefox Fix Serious Flaws

Following a major patch for Microsoft’s Internet Explorer, Chrome and Firefox have also come out with fixes for a remotely exploitable flaw

Just days after fixing multiple security flaws in their web browsers, Google and Mozilla have updated their products again to fix a serious bug that could result in remote code execution.

Mozilla fixed an integer overflow bug in the libpng graphics library used by its Firefox web browser and Thunderbird mail client on 17 February. Google fixed the same bug two days earlier in its own update to the Chrome web browser.

An attacker could craft malicious images which exploit this bug and compromise users by simply having them view the image using vulnerable software, Mozilla said in its security advisory.

Chrome bounties

Google’s 15 February security update had fixed the libpng vulnerability along with 12 other high- and medium-risk integer and heap overflow and use-after-free vulnerabilities.

The latest version of Chrome also included the new version of the Adobe Flash Player plug-in to address a recently patched zero-day flaw. Google paid at least $6,837 (£4,300) in bug bounties to researchers who identified the flaws, according to a post by Jason Kersey on the Google Chrome blog.

The libpng “bug is remotely exploitable and can lead to arbitrary code execution”, Mozilla warned in its advisory.

All three major web browsers were updated this week to address critical security flaws. Google’s latest release actually follows another update on 9 February when the company closed 20 flaws in Chrome.

Only one of the bugs had been rated critical, but six were considered high-risk. In that release, Google also announced a new security feature which would check for malicious downloads by scanning executable files.

If the executable being downloaded didn’t match a whitelist of approved files, Chrome would ping Google servers for more information about the website’s trustworthiness, such as whether the source was known to host malware.

Since Google bundles the Flash Player plugin with Chrome, it is responsible for updating the browser whenever Adobe releases an update of the player. Adobe updated Flash Player on 15 February and disclosed a cross-site scripting flaw that was already being exploited in targeted attacks against Internet Explorer users on Windows systems.

Malicious link

Users were being tricked into clicking on a malicious link delivered in an email message to exploit the XSS flaw, Adobe said.

Mozilla had also just updated its brand-new Firefox 10, released in January, with version 10.0.1 on 11 February.

The use-after-free flaw was in a component that was used by Firefox, Thunderbird and SeaMonkey. The flaw seems to have been introduced in Firefox 10, since versions 9 and earlier were not affected by this issue.

Microsoft addressed four critical flaws in Internet Explorer as part of its February Patch Tuesday on 14 February.

If exploited successfully, the vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer versions 7, 8 or 9. The attacker could gain the same user rights as the logged-on user, according to Microsoft.

Attackers are increasingly relying on browser exploits to compromise users, so it was critical that users and administrators update to the latest versions as soon as possible, security experts advised.