Mozilla Posts Firefox Fixes But Possible Bug Remains - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Cloud Storage
News
2/19/2010
04:07 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Mozilla Posts Firefox Fixes But Possible Bug Remains

A security researcher claims to have released exploit code that affects Firefox 3.6.

The Mozilla Foundation on Wednesday issued five security advisories related to vulnerabilities in its Firefox, Thunderbird, and SeaMonkey software.

But an unconfirmed zero-day vulnerability isn't among those being fixed.

Three of the advisories detail critical vulnerabilities; two of them cover moderate vulnerabilities.

The vulnerabilities could be used to allow a remote attacker to execute arbitrary code.

US-CERT is advising Firefox users to upgrade to version 3.0.18, 3.5.8, or 3.6.

Thunderbird users are advised to version 3.0.2, and SeaMonkey users should switch to version 2.0.3.

Whether these fixes will prove sufficient to protect users isn't clear: A Russian security researcher claims to have released exploit code that affects Firefox 3.6 and isn't addressed by the advisories.

Evgeny Legerov, who founded Moscow-based Intevydis, said in an online post at the beginning of February that he had added zero-day Firefox exploit code to a module called Vulndisco, which is used by his company's Immunity Canvas penetration testing system.

"People who've seen Firefox exploit agree with me -- it is a really cool bug," he said in his post. "It was an interesting challenge to find and exploit it. The exploit needs some work, but it was quite reliable in our testing."

Mozilla didn't immediately respond to a request for comment.

In a post on its security blog last week, Mozilla's Jesse Ruderman said that the company has become more adept at delivering security updates without introducing new bugs, a problem known as regression.

Based on an analysis of 176 bugs addressed by Firefox bug hunters between December 2007 and January 2010, Ruderman said that the frequency of regression errors appears to have declined.

But Firefox's popularity has given rise to security worries that go beyond coding practices. In early February, Mozilla's Add-on management group AMO said that it had removed two Firefox plug-ins because they contained malware.

Update: In an e-mailed statement, a Mozilla spokesperson said, "Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. At this time it appears that Secunia Advisory SA38608 is based on an unconfirmed report. We value the contributions of all security researchers and encourage them to work with us to ensure the highest level of security and best outcome for users."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
News
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll