Just days after fixing multiple security flaws in their Web
browsers, Google and Mozilla have updated their products again to fix a serious
bug that could result in remote code execution.
Mozilla fixed an integer overflow bug in the libpng graphics
library used by its Firefox Web browser and Thunderbird mail client on Feb. 17.
Google fixed the same bug two days earlier in its own update to the Chrome Web
browser. An attacker could craft malicious images which exploit this bug and
compromise users by simply having them view the image using vulnerable
said in its security advisory.
Google’s Feb. 15 security update had fixed the libpng
vulnerability along with 12 other high- and medium-risk integer and heap
overflow and use-after-free vulnerabilities. The latest version of Chrome also
included the new version of the Adobe Flash Player plug-in to address a
recently patched zero-day flaw. Google paid at least $6,837 in bug bounties to
researchers who identified the flaws, according to a post by Jason Kersey on
the Google Chrome blog.
The libpng “bug is remotely exploitable and can lead to
arbitrary code execution,” Mozilla warned in its advisory.
All three major Web browsers were updated this week to
address critical security flaws. Google’s latest release actually follows
another update on Feb. 9 when the company closed 20 flaws in Chrome. Only one
of the bugs had been rated critical, but six were considered high-risk. In that
release, Google also announced a new security feature which would check for
malicious downloads by scanning executable files. If the executable being
downloaded didn’t match a whitelist of approved files, Chrome would ping Google
servers for more information about the Website’s trustworthiness, such as
whether the source was known to host malware.
Since Google bundles the Flash Player plugin with Chrome, it
is responsible for updating the browser whenever Adobe releases an update of
the player. Adobe updated Flash Player on Feb. 15 and disclosed a cross-site
scripting flaw that was already being exploited in targeted attacks against
Internet Explorer users on Windows systems. Users were being tricked into clicking
on a malicious link delivered in an email message to exploit the XSS flaw,
Mozilla had also just updated its brand-new Firefox 10,
released in January, with version 10.0.1 on Feb. 11. The use-after-free flaw
was in a component that was used by Firefox, Thunderbird and SeaMonkey. The
flaw seems to have been introduced in Firefox 10, since versions 9 and earlier
were not affected by this issue.
Microsoft addressed four critical flaws in Internet Explorer
as part of its February Patch Tuesday on Feb. 14. If exploited successfully,
the vulnerabilities could allow remote code execution if a user views a
specially crafted web page using Internet Explorer versions 7, 8 or 9. The
attacker could gain the same user rights as the logged-on user, according to Microsoft.
Attackers are increasingly relying on browser exploits to
compromise users, so it was critical that users and administrators update to
the latest versions as soon as possible, security experts advised.