Cloud // Cloud Storage
04:07 PM
Connect Directly

Mozilla Posts Firefox Fixes But Possible Bug Remains

A security researcher claims to have released exploit code that affects Firefox 3.6.

The Mozilla Foundation on Wednesday issued five security advisories related to vulnerabilities in its Firefox, Thunderbird, and SeaMonkey software.

But an unconfirmed zero-day vulnerability isn't among those being fixed.

Three of the advisories detail critical vulnerabilities; two of them cover moderate vulnerabilities.

The vulnerabilities could be used to allow a remote attacker to execute arbitrary code.

US-CERT is advising Firefox users to upgrade to version 3.0.18, 3.5.8, or 3.6.

Thunderbird users are advised to version 3.0.2, and SeaMonkey users should switch to version 2.0.3.

Whether these fixes will prove sufficient to protect users isn't clear: A Russian security researcher claims to have released exploit code that affects Firefox 3.6 and isn't addressed by the advisories.

Evgeny Legerov, who founded Moscow-based Intevydis, said in an online post at the beginning of February that he had added zero-day Firefox exploit code to a module called Vulndisco, which is used by his company's Immunity Canvas penetration testing system.

"People who've seen Firefox exploit agree with me -- it is a really cool bug," he said in his post. "It was an interesting challenge to find and exploit it. The exploit needs some work, but it was quite reliable in our testing."

Mozilla didn't immediately respond to a request for comment.

In a post on its security blog last week, Mozilla's Jesse Ruderman said that the company has become more adept at delivering security updates without introducing new bugs, a problem known as regression.

Based on an analysis of 176 bugs addressed by Firefox bug hunters between December 2007 and January 2010, Ruderman said that the frequency of regression errors appears to have declined.

But Firefox's popularity has given rise to security worries that go beyond coding practices. In early February, Mozilla's Add-on management group AMO said that it had removed two Firefox plug-ins because they contained malware.

Update: In an e-mailed statement, a Mozilla spokesperson said, "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. At this time it appears that Secunia Advisory SA38608 is based on an unconfirmed report. We value the contributions of all security researchers and encourage them to work with us to ensure the highest level of security and best outcome for users."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of August 21, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.