News
News
2/28/2007
06:56 PM
Connect Directly
RSS
E-Mail
50%
50%

U.S.-CERT Warns Of Rogue Code For Firefox Flaw

A new proof-of-concept code is circulating for a Firefox vulnerability that was fixed in Mozilla's security update that was released last week.

The U.S. Computer Emergency Response Team (CERT) issued a warning on Wednesday that a proof-of-concept code is circulating in the wild that could be vulnerability in Mozilla's Firefox browser.

The memory corruption vulnerability in Mozilla's flagship, open-source browser exists due to a flaw in the way Firefox handles freed data structures modified in the onUnload event handler, according to a U.S.-CERT advisory. That flaw can cause a memory corruption error.

Firefox, another U.S.-CERT advisory warns, does not properly handle JavaScript "onUnload" events. This vulnerability may lead to memory corruption that could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Mozilla's security update, which was released last week, does fix the memory corruption issue, though the company had not made that public initially.

"The Firefox 2.0.0.2 update includes fixes for the bugs that researcher Michal Zalewski reported last week, including the hostname vulnerability, cookie issue and memory corruption issue," wrote Window Snyder, Mozilla's chief security officer, in an e-mail to InformationWeek. "Due to the security fixes, we strongly recommend that all Firefox users upgrade to this latest release." The upgrade is available at this Web site.

The JavaScript onUnload event defines the actions taken when the browser exits a Web page. According to U.S.-CERT, users can download the Firefox update but they also could disable JavaScript to fend off the exploit.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.