informa
/
News

Mozilla Posts Firefox Fixes But Possible Bug Remains

A security researcher claims to have released exploit code that affects Firefox 3.6.
The Mozilla Foundation on Wednesday issued five security advisories related to vulnerabilities in its Firefox, Thunderbird, and SeaMonkey software.

But an unconfirmed zero-day vulnerability isn't among those being fixed.

Three of the advisories detail critical vulnerabilities; two of them cover moderate vulnerabilities.

The vulnerabilities could be used to allow a remote attacker to execute arbitrary code.

US-CERT is advising Firefox users to upgrade to version 3.0.18, 3.5.8, or 3.6.

Thunderbird users are advised to version 3.0.2, and SeaMonkey users should switch to version 2.0.3.

Whether these fixes will prove sufficient to protect users isn't clear: A Russian security researcher claims to have released exploit code that affects Firefox 3.6 and isn't addressed by the advisories.

Evgeny Legerov, who founded Moscow-based Intevydis, said in an online post at the beginning of February that he had added zero-day Firefox exploit code to a module called Vulndisco, which is used by his company's Immunity Canvas penetration testing system.

"People who've seen Firefox exploit agree with me -- it is a really cool bug," he said in his post. "It was an interesting challenge to find and exploit it. The exploit needs some work, but it was quite reliable in our testing."

Mozilla didn't immediately respond to a request for comment.

In a post on its security blog last week, Mozilla's Jesse Ruderman said that the company has become more adept at delivering security updates without introducing new bugs, a problem known as regression.

Based on an analysis of 176 bugs addressed by Firefox bug hunters between December 2007 and January 2010, Ruderman said that the frequency of regression errors appears to have declined.

But Firefox's popularity has given rise to security worries that go beyond coding practices. In early February, Mozilla's Add-on management group AMO said that it had removed two Firefox plug-ins because they contained malware.

Update: In an e-mailed statement, a Mozilla spokesperson said, "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. At this time it appears that Secunia Advisory SA38608 is based on an unconfirmed report. We value the contributions of all security researchers and encourage them to work with us to ensure the highest level of security and best outcome for users."