Mozilla Patches For Firefox Address Multiple Problems
Mozilla patches its popular browser to fix a buffer overflow vulnerability, and it plugs a critical hole in the Linux edition of Firefox.
Mozilla Corp. late Tuesday patched its popular browser to fix a buffer overflow vulnerability that could let attackers grab control of the PC, and plugged a new critical hole in the Linux edition of Firefox.
Firefox 1.0.7, which has been in development for over a week, fixes the bug in the browser's support for international domain names (IDN). Less than two weeks ago, a researcher posted details about the new IDN flaw, as well as proof-of-concept code.
The Linux version of 1.0.7 also corrects a bug discovered in how Firefox and Mozilla parse URLs supplied on the command line, or by external programs, said Mozilla. If the URL includes any Linux commands -- embedded and enclosed in backticks -- they are executed. As with most other browser vulnerabilities, the user would have to be enticed to a malicious Web site, or click on a link included in an e-mail message, to suffer an attack like this.
Secunia, a Danish vulnerability aggregator, classified this Linux bug as "Extremely critical," its highest threat ranking. "It's critical enough for us to release a patch," was all Chris Beard, Mozilla's head of products, would acknowledge in an interview.
The Linux bug, Beard said, was reported to Mozilla by an independent researcher, Peter Zelezny, 14 days ago.
Numerous versions of Linux Firefox are at risk, according to the SecurityFocus Web site, including Firefox 1.0.6 and Mozilla 1.7.7, which is included in several Linux distributions, ranging from Red Hat's to TurboLinux's.
The browser in Mozilla Suite, however, is not quite ready; an update to 1.7.12 is expected shortly, Beard said.
Nor will beta 1 of Firefox 1.5 be patched immediately against either bug, Beard confirmed. "We'll patch those in beta 2, which will release in the first week of October," he said. A work-around for beta 1 of Firefox 1.5, the next major update to the year-old browser, was posted a week and a half ago.
The release of Firefox 1.0.7 came just days after a Symantec noted in its semi-annual report on Internet security that Mozilla's browsers posted nearly twice the number of vulnerabilities than did Microsoft's Internet Explorer.
"I don't think a comparison of the raw count of vulnerabilities is representative of the security of a product," argued Beard, who took exception at the idea that Firefox and Mozilla were any less secure than IE. "Different vendors report vulnerabilities in different ways.
"Given Mozilla's open and transparent approach, we are very detailed on how we publish our vulnerability reports, and we list each vulnerability separately," said Beard. "Other vendors don't. Other vendors often combine multiple vulnerabilities, for instance, into one security bulletin."
Microsoft has been accused in the past of camouflaging the number of vulnerabilities in Windows or IE by "ganging" several together under the umbrella of just one of its monthly security bulletins.
Firefox 1.0.7 can be downloaded from the Mozilla site in versions for Windows, Linux, and the Mac OS X. Currently, only an English-language edition is available.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.