Firefox Fix Heads Off Font Attack

Mozilla pushed out an ahead-of-schedule fix for its Firefox browser to close a critical security hole that became public before the patch was available.

The flaw in the Web Open Font Format (WOFF) could potentially allow a malicious Web page to run any command, such as downloading malware, on a victim PC. It was made public by security researcher Evgeny Legerov in February prior to Mozilla being informed, prompting a debate about the responsible disclosure of security flaws.

The critical flaw only affects Firefox 3.6, as earlier browser versions don't support WOFF. According to Mozilla's 3.6.2 release notes, the update also fixes additional security and stability bugs. If you haven't yet received the automatic update prompt via Firefox, head to Help | Check for Updates to pick it up.

Opera users should likewise update their browser to fix a vulnerability involving the program's handling of HTTP Content-Length headers.  Yesterday's patch squashes a number of other bugs as well; see the Opera 10.51 changelog for full details.

Subscribe to the Security Watch Newsletter

Comments