Mozilla Posts Firefox Fixes But Possible Bug Remains
A security researcher claims to have released exploit code that affects Firefox 3.6.
The Mozilla Foundation on Wednesday issued five security advisories related to vulnerabilities in its Firefox, Thunderbird, and SeaMonkey software.
But an unconfirmed zero-day vulnerability isn't among those being fixed.
Three of the advisories detail critical vulnerabilities; two of them cover moderate vulnerabilities.
The vulnerabilities could be used to allow a remote attacker to execute arbitrary code.
US-CERT is advising Firefox users to upgrade to version 3.0.18, 3.5.8, or 3.6.
Thunderbird users are advised to version 3.0.2, and SeaMonkey users should switch to version 2.0.3.
Whether these fixes will prove sufficient to protect users isn't clear: A Russian security researcher claims to have released exploit code that affects Firefox 3.6 and isn't addressed by the advisories.
Evgeny Legerov, who founded Moscow-based Intevydis, said in an online post at the beginning of February that he had added zero-day Firefox exploit code to a module called Vulndisco, which is used by his company's Immunity Canvas penetration testing system.
"People who've seen Firefox exploit agree with me -- it is a really cool bug," he said in his post. "It was an interesting challenge to find and exploit it. The exploit needs some work, but it was quite reliable in our testing."
Mozilla didn't immediately respond to a request for comment.
In a post on its security blog last week, Mozilla's Jesse Ruderman said that the company has become more adept at delivering security updates without introducing new bugs, a problem known as regression.
Based on an analysis of 176 bugs addressed by Firefox bug hunters between December 2007 and January 2010, Ruderman said that the frequency of regression errors appears to have declined.
But Firefox's popularity has given rise to security worries that go beyond coding practices. In early February, Mozilla's Add-on management group AMO said that it had removed two Firefox plug-ins because they contained malware.
Update: In an e-mailed statement, a Mozilla spokesperson said, "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. At this time it appears that Secunia Advisory SA38608 is based on an unconfirmed report. We value the contributions of all security researchers and encourage them to work with us to ensure the highest level of security and best outcome for users."
Google in the Enterprise SurveyThere's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity products, and 69 percent cite Google Apps' good or excellent mobility. But progress could still stall: 59 percent of nonusers distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.