Quantcast
PCWorld.com is upgrading some back-end systems. Some site features, such as user registration, may be temporarily unavailable.
Subscribe to magazine

Mozilla Patches Firefox Flaw

Workaround will prevent exploits that allow remote control of users' systems through browser bug.

Robert McMillan, IDG News Service

  • 0 Yes
  • 0 No

The Mozilla Foundation has released a workaround for a critical buffer overflow vulnerability in the Firefox browser that was first made public last Friday.

By Friday afternoon, Mozilla developers had posted a software patch and instructions for a workaround, both of which disable the buggy Firefox feature.

Open to Attack

The vulnerability, which was reported by security researcher Tom Ferris to the Mozilla team earlier this week, concerns the International Domain Name (IDN) feature that Mozilla products use to process Web pages that do not use Latin alphabet characters in their names.

Links pointing to a host with a long name composed entirely of dashes can be crafted so that Firefox will execute arbitrary code of an attacker's choosing, meaning that an attacker theoretically could use the flaw to take control of a user's machine.

No code that actually exploits this vulnerability has yet been seen, but all versions of Mozilla Firefox and the Mozilla Suite are affected, according to the Mozilla team. The vulnerability even includes version 1.5 Beta 1 (Deer Park Alpha 2), which was released on Thursday.

"It's something we take seriously because it could be used for bad things," said Mike Schroepfer, director of engineering with the Mozilla Foundation.

Solid Fix Pending

Because both the patch and the workaround simply disable IDN, users who require the feature to visit international Web sites should stick to visiting Web sites they know and trust until the problem is actually repaired in the browser, Schroepfer said.

When that will happen remains unknown. "We're determining that now," he said.

Ferris described the flaw in his Security Protocols Web site and on the Full Disclosure security mailing list last week. He said the problem is caused by a bug in the code Firefox uses to process HTML (Hypertext Markup Language) links in Web pages.

In August, Ferris reported a critical flaw in fully patched versions of Microsoft Internet Explorer 6 running on Windows XP Service Pack 2. The flaw was acknowledged by Microsoft, but in that instance, Ferris did not reveal any details of the flaw or how it could be exploited.

Peter Sayer of the IDG News Service contributed to this report.

  • Recommend this story?
  • 0 Yes
    0 No

"Mozilla Patches Firefox Flaw" Comments

People who read this also read:

  • 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
  • A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.

Sponsored Links