02:12 PM

Mozilla Patches For Firefox Address Multiple Problems

Mozilla patches its popular browser to fix a buffer overflow vulnerability, and it plugs a critical hole in the Linux edition of Firefox.

Mozilla Corp. late Tuesday patched its popular browser to fix a buffer overflow vulnerability that could let attackers grab control of the PC, and plugged a new critical hole in the Linux edition of Firefox.

Firefox 1.0.7, which has been in development for over a week, fixes the bug in the browser's support for international domain names (IDN). Less than two weeks ago, a researcher posted details about the new IDN flaw, as well as proof-of-concept code.

The Linux version of 1.0.7 also corrects a bug discovered in how Firefox and Mozilla parse URLs supplied on the command line, or by external programs, said Mozilla. If the URL includes any Linux commands -- embedded and enclosed in backticks -- they are executed. As with most other browser vulnerabilities, the user would have to be enticed to a malicious Web site, or click on a link included in an e-mail message, to suffer an attack like this.

Secunia, a Danish vulnerability aggregator, classified this Linux bug as "Extremely critical," its highest threat ranking. "It's critical enough for us to release a patch," was all Chris Beard, Mozilla's head of products, would acknowledge in an interview.

The Linux bug, Beard said, was reported to Mozilla by an independent researcher, Peter Zelezny, 14 days ago.

Numerous versions of Linux Firefox are at risk, according to the SecurityFocus Web site, including Firefox 1.0.6 and Mozilla 1.7.7, which is included in several Linux distributions, ranging from Red Hat's to TurboLinux's.

The browser in Mozilla Suite, however, is not quite ready; an update to 1.7.12 is expected shortly, Beard said.

Nor will beta 1 of Firefox 1.5 be patched immediately against either bug, Beard confirmed. "We'll patch those in beta 2, which will release in the first week of October," he said. A work-around for beta 1 of Firefox 1.5, the next major update to the year-old browser, was posted a week and a half ago.

The release of Firefox 1.0.7 came just days after a Symantec noted in its semi-annual report on Internet security that Mozilla's browsers posted nearly twice the number of vulnerabilities than did Microsoft's Internet Explorer.

"I don't think a comparison of the raw count of vulnerabilities is representative of the security of a product," argued Beard, who took exception at the idea that Firefox and Mozilla were any less secure than IE. "Different vendors report vulnerabilities in different ways.

"Given Mozilla's open and transparent approach, we are very detailed on how we publish our vulnerability reports, and we list each vulnerability separately," said Beard. "Other vendors don't. Other vendors often combine multiple vulnerabilities, for instance, into one security bulletin."

Microsoft has been accused in the past of camouflaging the number of vulnerabilities in Windows or IE by "ganging" several together under the umbrella of just one of its monthly security bulletins.

Firefox 1.0.7 can be downloaded from the Mozilla site in versions for Windows, Linux, and the Mac OS X. Currently, only an English-language edition is available.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.