Mozilla Patches For Firefox Address Multiple Problems - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:12 PM

Mozilla Patches For Firefox Address Multiple Problems

Mozilla patches its popular browser to fix a buffer overflow vulnerability, and it plugs a critical hole in the Linux edition of Firefox.

Mozilla Corp. late Tuesday patched its popular browser to fix a buffer overflow vulnerability that could let attackers grab control of the PC, and plugged a new critical hole in the Linux edition of Firefox.

Firefox 1.0.7, which has been in development for over a week, fixes the bug in the browser's support for international domain names (IDN). Less than two weeks ago, a researcher posted details about the new IDN flaw, as well as proof-of-concept code.

The Linux version of 1.0.7 also corrects a bug discovered in how Firefox and Mozilla parse URLs supplied on the command line, or by external programs, said Mozilla. If the URL includes any Linux commands -- embedded and enclosed in backticks -- they are executed. As with most other browser vulnerabilities, the user would have to be enticed to a malicious Web site, or click on a link included in an e-mail message, to suffer an attack like this.

Secunia, a Danish vulnerability aggregator, classified this Linux bug as "Extremely critical," its highest threat ranking. "It's critical enough for us to release a patch," was all Chris Beard, Mozilla's head of products, would acknowledge in an interview.

The Linux bug, Beard said, was reported to Mozilla by an independent researcher, Peter Zelezny, 14 days ago.

Numerous versions of Linux Firefox are at risk, according to the SecurityFocus Web site, including Firefox 1.0.6 and Mozilla 1.7.7, which is included in several Linux distributions, ranging from Red Hat's to TurboLinux's.

The browser in Mozilla Suite, however, is not quite ready; an update to 1.7.12 is expected shortly, Beard said.

Nor will beta 1 of Firefox 1.5 be patched immediately against either bug, Beard confirmed. "We'll patch those in beta 2, which will release in the first week of October," he said. A work-around for beta 1 of Firefox 1.5, the next major update to the year-old browser, was posted a week and a half ago.

The release of Firefox 1.0.7 came just days after a Symantec noted in its semi-annual report on Internet security that Mozilla's browsers posted nearly twice the number of vulnerabilities than did Microsoft's Internet Explorer.

"I don't think a comparison of the raw count of vulnerabilities is representative of the security of a product," argued Beard, who took exception at the idea that Firefox and Mozilla were any less secure than IE. "Different vendors report vulnerabilities in different ways.

"Given Mozilla's open and transparent approach, we are very detailed on how we publish our vulnerability reports, and we list each vulnerability separately," said Beard. "Other vendors don't. Other vendors often combine multiple vulnerabilities, for instance, into one security bulletin."

Microsoft has been accused in the past of camouflaging the number of vulnerabilities in Windows or IE by "ganging" several together under the umbrella of just one of its monthly security bulletins.

Firefox 1.0.7 can be downloaded from the Mozilla site in versions for Windows, Linux, and the Mac OS X. Currently, only an English-language edition is available.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll