The Mozilla Foundation has released a new version of its Firefox browser that contains fixes for two critical security bugs
in the software that were reported over the past week.
The most widely reported flaw concerns the IDN (International Domain Name) feature that Mozilla products use to process Web
pages that do not use the Latin alphabet.
Links pointing to a host with a long name composed entirely of dashes can be crafted so that earlier versions of Firefox will
execute arbitrary code of an attacker's choosing. This means that an attacker theoretically could use the flaw to take control
of a user's machine, by launching what is called a buffer overflow attack.
Firefox 1.0.7, which was released Wednesday morning, also fixes a critical flaw in the way the Mozilla software handles Unix
and Linux shell commands that could allow attackers to run unauthorized software on some systems, said Chris Beard, head of
products with Mozilla Corp.
All Firefox users are encouraged to download the new release, which also contains a number of minor changes designed to make
the browser more stable and secure, Beard said.
The IDN bug was discovered by security researcher Tom Ferris and made public via a posting to the Full Disclosure security
mailing list last Friday. By the end of the day, Mozilla had published a workaround, which disabled the IDN feature. With
the 1.0.7 release, this problem has now been rectified, Beard said.
Mozilla is planning a similar update for its Mozilla Suite browser, Beard said. That software is expected to be released by
week's end.
More information on the Firefox 1.0.7 release can be found here: http://www.mozilla.org/products/firefox/releases/1.0.7.html
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
