Here are some of the most significant bugs from the past week in the BugBlog.
The Mozilla Foundation says that some third-party media players, such as Macromedia Flash and Apple QuickTime, can run scripts that open the default browser and go to a URL. The default behavior for Mozilla and Firefox is to open that new content in an existing browser window. The new URL would be treated as if it came from the site previously displayed in the browser, and may be able to steal cookies or passwords. An attacker would need luck to exploit this and would be dependent on a particular site being open in a browser window. Firefox 1.0.5 fixes this by opening these new URLs in a blank context, so they have no access to data from other websites. See http://www.mozilla.org/security/announce/mfsa2005-53.html for details on how to change this behavior in earlier versions.
There is a bug in the font parsing function of Microsoft Word 2000, Word 2002 and the Microsoft Works suite. A remote attacker can send a poisoned Word document; if a victim opens it, the attacker may gain the same privileges as the victim. Links to patches for the various vulnerable versions are at http://www.microsoft.com/technet/security/Bulletin/MS05-035.mspx. Microsoft credits Lord Yup working with iDEFENSE for finding this bug.
In the Apple Mac OS X 10.4.1 Finder, if you choose “Show Package Contents” several times for the same package, Finder may suddenly crash. (Maybe it just got bored?) Apple says they have fixed this in the Mac OS X 10.4.2 Update. This update also fixes some bugs in the Finder slideshow feature.
There is another reported vulnerability in Nullsoft Winamp 5. The bug is in the way that ID3v2 tags are handled, with a buffer overflow in the Artist field in the tag. This may allow an attacker to run their code on the victim’s computer if they can create the right kind of malicious file, persuade someone to add it to a playlist and then play it. There is no fix yet. The bug was found by Croatian bug hunters at security.lss.hr. Read their English-language report at http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-07-14.
See the BugBlog for continuing coverage of bugs and other things that go wrong with your computer.
Edited: LHPowered by Sidelines