Mozilla Corp. late Tuesday patched its popular browser to fix a buffer overflow vulnerability that could let attackers grab control of the PC, and plugged a new critical hole in the Linux edition of Firefox.
Firefox 1.0.7, which has been in development for over a week, fixes the bug in the browser's support for international domain names (IDN). Less than two weeks ago, a researcher posted details about the new IDN flaw, as well as proof-of-concept code.
The Linux version of 1.0.7 also corrects a bug discovered in how Firefox and Mozilla parse URLs supplied on the command line, or by external programs, said Mozilla. If the URL includes any Linux commands -- embedded and enclosed in backticks -- they are executed. As with most other browser vulnerabilities, the user would have to be enticed to a malicious Web site, or click on a link included in an e-mail message, to suffer an attack like this.
Secunia, a Danish vulnerability aggregator, classified this Linux bug as "Extremely critical," its highest threat ranking. "It's critical enough for us to release a patch," was all Chris Beard, Mozilla's head of products, would acknowledge in an interview.
The Linux bug, Beard said, was reported to Mozilla by an independent researcher, Peter Zelezny, 14 days ago.
Numerous versions of Linux Firefox are at risk, according to the SecurityFocus Web site, including Firefox 1.0.6 and Mozilla 1.7.7, which is included in several Linux distributions, ranging from Red Hat's to TurboLinux's.
The browser in Mozilla Suite, however, is not quite ready; an update to 1.7.12 is expected shortly, Beard said.
Nor will beta 1 of Firefox 1.5 be patched immediately against either bug, Beard confirmed. "We'll patch those in beta 2, which will release in the first week of October," he said. A work-around for beta 1 of Firefox 1.5, the next major update to the year-old browser, was posted a week and a half ago.
The release of Firefox 1.0.7 came just days after a Symantec noted in its semi-annual report on Internet security that Mozilla's browsers posted nearly twice the number of vulnerabilities than did Microsoft's Internet Explorer.
"I don't think a comparison of the raw count of vulnerabilities is representative of the security of a product," argued Beard, who took exception at the idea that Firefox and Mozilla were any less secure than IE. "Different vendors report vulnerabilities in different ways.
"Given Mozilla's open and transparent approach, we are very detailed on how we publish our vulnerability reports, and we list each vulnerability separately," said Beard. "Other vendors don't. Other vendors often combine multiple vulnerabilities, for instance, into one security bulletin."
Microsoft has been accused in the past of camouflaging the number of vulnerabilities in Windows or IE by "ganging" several together under the umbrella of just one of its monthly security bulletins.
Firefox 1.0.7 can be downloaded from the Mozilla site in versions for Windows, Linux, and the Mac OS X. Currently, only an English-language edition is available.