Mozilla Privacy Leak Reported

A "serious" privacy leak in Mozilla--and other browsers based on the open-source technology, such as Netscape and Galeon--discloses users' Web surfing information, according to a recent report.

The Mozilla bug has been reported on the Bugtraq mailing list by researcher Sven Neuhaus. He says the newly discovered vulnerability reveals the URL of the page a Web surfer is visiting to the Web server of the last page the user visited. The bug affects Mozilla 1.0, 1.0.1, and 1.1, as well as Mozilla-based browsers such as Netscape 7 and Galeon, Neuhaus said. Older versions of Mozilla could also contain the bug, the researcher added.

A Mozilla representative was not immediately available to comment on the bug. However, an alpha version of Mozilla 1.2--not fingered by Bugtraq as having the flaw--is available from the development group.

Flaw Described

According to the report, the vulnerability occurs not only for links followed on the page, but also for manually entered URLs and bookmarks. The problem originates in the HTTP requests that are launched from a page's "onunload" handler, he said.

Although Neuhaus said that the bug is a couple of months old, he said he was disclosing the vulnerability at this time to prompt a fix.

Mozilla is an open-source development project originally begun by Netscape, which is now part of AOL Time Warner. The open-source development group Mozilla.org released and supports the browser, originally released in June.

The Mozilla technology has been incorporated into AOL's Gecko Web-rendering engine, which is used in the company's Netscape 7 browser, among others.

Mozilla.org invites users to report bugs on its site. A security company voiced concern about a vulnerability that allowed remote viewing of users' systems even in prerelease versions of Mozilla.

Bugs Find Browsers

The leading browser, Microsoft's Internet Explorer, has been dogged with bug reports as well. Microsoft updated IE 6 with the release last week of a Service Pack, which collects a number of bug fixes. It was released in conjunction with SP1 for Windows XP, which plugs a hole that leaves PCs vulnerable when they are connected to the Internet.

Microsoft says its SP1 for IE 6 fixes addresses more than 300 issues with the browser, which first shipped last October with Windows XP. However, some bug hunters say flaws remain, despite the update.