Included in Firefox 14 is a fix for a flaw in the sandbox through which an attacker could carry out an arbitrary code execution using a Javascript URL.
“The Gecko engine features a JavaScript sandbox utility that allows the browser or add-ons to safely execute script in the context of a web page. In certain cases, javascript: URLs are executed in such a sandbox with insufficient context that can allow those scripts to escape from the sandbox and run with elevated privilege. This can lead to arbitrary code execution”, Mozilla explained in a security advisory.
Another critical flaw patched in Firefox 14 allows an attacker to bypass the browser’s same-compartment security wrappers (SCSW).
“Cross-compartment wrappers often do not go through SCSW, but have a filtering policy built into them. When an object is wrapped cross-compartment, the SCSW is stripped off and, when the object is read back, it is not known that SCSW was previously present, resulting in a bypassing of SCSW. This could result in untrusted content having access to the XBL that implements browser functionality”, Mozilla related.
The other critical flaws patched in Firefox 14 include a variety of memory corruption hazards.
In addition, Firefox 14 improves security by enabling HTTPS when making web searches via Google, giving users more information about website security through icons, providing “click-to-play” activation for plug-ins, and bolstering the site identity manager to prevent spooling of SSL connection with favicons.