Title: Memory corruption vulnerabilities (rv:1.8.1.10)
Impact: High
Announced: November 26, 2007
Products: Firefox, SeaMonkey
Fixed in: Firefox 2.0.0.10
SeaMonkey 1.1.7
Description
The Firefox 2.0.0.10 update contains fixes for three bugs that improve the stability of the product. These crashes showed some evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
Mozilla Foundation Security Advisory 2007-39
Title: Referer-spoofing via window.location race condition
Impact: High
Announced: November 26, 2007
Reporter: Gregory Fleischer
Products: Firefox, SeaMonkey
Fixed in: Firefox 2.0.0.10
SeaMonkey 1.1.7
Description
Gregory Fleischer demonstrated that it was possible to generate a fake HTTP Referer header by exploiting a timing condition when setting the window.location property. This could be used to conduct a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header as protection against such attacks.
When navigation occurs due to setting window.location the Referer header is supposed to reflect the address of the content which initiated the script. Instead, the referer was set to the address of the window (or frame) in which the script was running, and this vulnerability arises from that tiny difference. Using a modal alert() dialog Fleischer was able to suspend the attack script so that it did not load the target URI until after the attacker's initial content had been replaced by the intended referring page. When the Referer is set to the current URI of the script's window it is no longer the correct one.
For more info>>>
Mozilla Foundation Security Advisory 2007-37
Source- mozilla.org