News
News
9/21/2005
02:12 PM
Connect Directly
RSS
E-Mail
50%
50%

Mozilla Patches For Firefox Address Multiple Problems

Mozilla patches its popular browser to fix a buffer overflow vulnerability, and it plugs a critical hole in the Linux edition of Firefox.

Mozilla Corp. late Tuesday patched its popular browser to fix a buffer overflow vulnerability that could let attackers grab control of the PC, and plugged a new critical hole in the Linux edition of Firefox.

Firefox 1.0.7, which has been in development for over a week, fixes the bug in the browser's support for international domain names (IDN). Less than two weeks ago, a researcher posted details about the new IDN flaw, as well as proof-of-concept code.

The Linux version of 1.0.7 also corrects a bug discovered in how Firefox and Mozilla parse URLs supplied on the command line, or by external programs, said Mozilla. If the URL includes any Linux commands -- embedded and enclosed in backticks -- they are executed. As with most other browser vulnerabilities, the user would have to be enticed to a malicious Web site, or click on a link included in an e-mail message, to suffer an attack like this.

Secunia, a Danish vulnerability aggregator, classified this Linux bug as "Extremely critical," its highest threat ranking. "It's critical enough for us to release a patch," was all Chris Beard, Mozilla's head of products, would acknowledge in an interview.

The Linux bug, Beard said, was reported to Mozilla by an independent researcher, Peter Zelezny, 14 days ago.

Numerous versions of Linux Firefox are at risk, according to the SecurityFocus Web site, including Firefox 1.0.6 and Mozilla 1.7.7, which is included in several Linux distributions, ranging from Red Hat's to TurboLinux's.

The browser in Mozilla Suite, however, is not quite ready; an update to 1.7.12 is expected shortly, Beard said.

Nor will beta 1 of Firefox 1.5 be patched immediately against either bug, Beard confirmed. "We'll patch those in beta 2, which will release in the first week of October," he said. A work-around for beta 1 of Firefox 1.5, the next major update to the year-old browser, was posted a week and a half ago.

The release of Firefox 1.0.7 came just days after a Symantec noted in its semi-annual report on Internet security that Mozilla's browsers posted nearly twice the number of vulnerabilities than did Microsoft's Internet Explorer.

"I don't think a comparison of the raw count of vulnerabilities is representative of the security of a product," argued Beard, who took exception at the idea that Firefox and Mozilla were any less secure than IE. "Different vendors report vulnerabilities in different ways.

"Given Mozilla's open and transparent approach, we are very detailed on how we publish our vulnerability reports, and we list each vulnerability separately," said Beard. "Other vendors don't. Other vendors often combine multiple vulnerabilities, for instance, into one security bulletin."

Microsoft has been accused in the past of camouflaging the number of vulnerabilities in Windows or IE by "ganging" several together under the umbrella of just one of its monthly security bulletins.

Firefox 1.0.7 can be downloaded from the Mozilla site in versions for Windows, Linux, and the Mac OS X. Currently, only an English-language edition is available.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.