Mozilla Posts Firefox Fixes But Possible Bug Remains - InformationWeek
Cloud // Cloud Storage
04:07 PM
Connect Directly
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Mozilla Posts Firefox Fixes But Possible Bug Remains

A security researcher claims to have released exploit code that affects Firefox 3.6.

The Mozilla Foundation on Wednesday issued five security advisories related to vulnerabilities in its Firefox, Thunderbird, and SeaMonkey software.

But an unconfirmed zero-day vulnerability isn't among those being fixed.

Three of the advisories detail critical vulnerabilities; two of them cover moderate vulnerabilities.

The vulnerabilities could be used to allow a remote attacker to execute arbitrary code.

US-CERT is advising Firefox users to upgrade to version 3.0.18, 3.5.8, or 3.6.

Thunderbird users are advised to version 3.0.2, and SeaMonkey users should switch to version 2.0.3.

Whether these fixes will prove sufficient to protect users isn't clear: A Russian security researcher claims to have released exploit code that affects Firefox 3.6 and isn't addressed by the advisories.

Evgeny Legerov, who founded Moscow-based Intevydis, said in an online post at the beginning of February that he had added zero-day Firefox exploit code to a module called Vulndisco, which is used by his company's Immunity Canvas penetration testing system.

"People who've seen Firefox exploit agree with me -- it is a really cool bug," he said in his post. "It was an interesting challenge to find and exploit it. The exploit needs some work, but it was quite reliable in our testing."

Mozilla didn't immediately respond to a request for comment.

In a post on its security blog last week, Mozilla's Jesse Ruderman said that the company has become more adept at delivering security updates without introducing new bugs, a problem known as regression.

Based on an analysis of 176 bugs addressed by Firefox bug hunters between December 2007 and January 2010, Ruderman said that the frequency of regression errors appears to have declined.

But Firefox's popularity has given rise to security worries that go beyond coding practices. In early February, Mozilla's Add-on management group AMO said that it had removed two Firefox plug-ins because they contained malware.

Update: In an e-mailed statement, a Mozilla spokesperson said, "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. At this time it appears that Secunia Advisory SA38608 is based on an unconfirmed report. We value the contributions of all security researchers and encourage them to work with us to ensure the highest level of security and best outcome for users."

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll