This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
A pair of unpatched vulnerabilities in Mozilla's Firefox browser could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla says.
A pair of unpatched vulnerabilities in Mozilla's Firefox Web browser -- rated as "extremely critical" by one security firm -- could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla said Sunday.
The vulnerabilities were discovered by a pair of security researchers, who had notified Mozilla earlier in the month, but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers.
According to Danish security vendor Secunia, which tagged the bugs with a highest "extremely critical" warning -- the first time it's used that to describe a Firefox flaw -- a hacker can trick the browser into thinking a download is coming from one of the by-default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org.
"Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit," the Foundation announced on its security site Sunday. Specifically, Mozilla re-pointed the two update sites to a new URL, and instructed users not to add that new site to their list of Allowed Sites. The change, however, only defends against the current proof-of-concept that's circulating, not the vulnerabilities themselves.
A security update -- which will be dubbed Firefox 1.0.4 -- will be issued as soon as possible. "Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update," the organization's security alert continued.
While the leaked information included proof-of-concept code that demonstrated how a malicious site could run code of the attacker's choice and install it on machines using Firefox, Mozilla discounted the risk. "There are currently no known active exploits of these vulnerabilities," it said Sunday.
The release of Firefox 1.0.4 would be the fourth security update to the browser since the beginning of the year. Others appeared in late February, late March, and mid-April. In that time, Microsoft has released two patches for its Internet Explorer browser.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2021 State of ITOps and SecOps ReportThis new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!