We had a one linerabout the Firefox 9 update already. But Iwanted to take a couple more lines to highlight some of the flaws fixed in Firefox 9, which I think belong in the we told you so category. By we I am not referring to the ISC, but to the large number of articles talking about HTML 5 security.
One problem that was pointed out by various people is the fact that the addition of the video and audio tags requires the inclusion of respective file format parsers in the browser. These parsers have been known in the past to be the source of various security issues. Some of the Firefox 9 fixes illustrate this problem:
MFSA 2011-58: Crash scaling video to extreme sizes (effects OGG formated videos)
MFSA 2011-56: nsSVGValue out-of-bounds access
These two vulnerabilities are rated as critical by Mozilla.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
One problem that was pointed out by various people is the fact that the addition of the video and audio tags requires the inclusion of respective file format parsers in the browser. These parsers have been known in the past to be the source of various security issues. Some of the Firefox 9 fixes illustrate this problem:
MFSA 2011-58: Crash scaling video to extreme sizes (effects OGG formated videos)
MFSA 2011-56: nsSVGValue out-of-bounds access
These two vulnerabilities are rated as critical by Mozilla.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.