All the latest UK technology news, reviews and analysis
|
|
|
12 Sep 2005
Mozilla's Firefox browser is susceptible to a buffer overflow attack that is deemed 'highly critical', users have been warned.
The flaw was discovered by security expert Tom Ferris and affects all versions of the open source browser up to 1.0.6, as well as the beta for Firefox 1.5, he reported on his website.
The vulnerability allows an attacker to remotely execute code on a compromised system through a buffer overflow attack.
Demonstrating the vulnerability, Ferris offers a link to a page where a specially crafted URL will cause the browser to freeze and eventually crash, closing all browser windows. Microsoft's Internet Explorer is unaffected by the flaw.
Ferris reported the issue to Mozilla on 4 September, but allegedly decided to go public after a disagreement with the organisation.
Mozilla has published a patch that protects the browser against sites seeking to exploit the flaw, and has posted instructions for a manual workaround.
Firefox uses its record on security as a principal selling point in enticing users to switch from Internet Explorer. But although Microsoft's browser has been hit with a series of vulnerabilities, Firefox has also had its share of problems recently.
Latest stories from Open Source
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Field/Site Engineering Manager/Leader Brief: Polar...
Product Manager, Open Repository (ref:BMC/PMR) End...
Java/J2EE Software Developer/Programmer - Dotcom/ eCommerce...
Field/Site Engineering Manager/Leader Brief: Polar...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Wishful thinking doesn't make it secure.
I like how the first poster says FF has a cleaner codebase, has the poster seen the IE codebase? According to secunia.com Firefox has had 18 vulnerabilities in 2005, IE has had 11. Firefox has a smaller market share at this point, it will be interesting to see if this trend continues as its share rises. (FF does appear to fix issues quicker).
Posted by: Split 13 Sep 2005
Whoopdie Do
If you can find a site that actually uses this flaw, you'd have to look rather hard for it. More to the point, IE still has loads of flaws that will not or cannot be fixed, whereas after 9 days Firefox already has a fix published.
Posted by: Daniel 13 Sep 2005
Still safer
I'm standing by Mozilla. We now know about the flaw and a patch has been issued. Would any other vendor have fixed up a patch so quickly? I don't think so. Furthermore, I beleive FFx is still safer, inherently: It has a cleaner codebase and a dedicated community of developers.
Posted by: Tom Wright 12 Sep 2005
Bad focus
This article is only 13 hours old yet seems to mention the published patch only as an afterthought. The vulnerability was publicized on the 8th and the workaround on the 9th (4 and 3 days ago). I'm not sure whether to think this story as a biased FF-basher or just out of the loop.
Posted by: Andrew Conkling 12 Sep 2005
So, this flaw does not apply to 1.0.6?
The artlcle says "up to" version 1.0.6. Is this a mistake or does 1.0.6 not have this vuneralbility?
Posted by: Bones 12 Sep 2005