[ISN] Firefox Patch Fixes Vulnerabilities And Crashes

InfoSec News isn at c4i.org
Fri Feb 25 04:48:34 EST 2005


By John Foley 
Feb. 24, 2005 

It's time to update the millions of Firefox 1.0 browsers that have
been downloaded over the past 11 weeks. The Mozilla Foundation on
Thursday released its first security update to Firefox, comprising a
series of patches intended to prevent spoofing and phishing attacks
and fix glitches that cause the browser to crash.

The security update, Firefox 1.0.1, can be downloaded immediately at
www.mozilla.org, and it will be available within a few days via
Firefox's automatic update feature. "I'd encourage users to get this
release, especially if they've been prone to phishing attacks or
spoofing," says Chris Hofmann, director of engineering with Mozilla, a
nonprofit software-development organization. "A lot of work in this
release focuses on those areas."

The update covers a handful of security vulnerabilities and
approximately 40 other fixes related to browser performance based on
user feedback to Mozilla. The security vulnerabilities range from
"moderately critical" in nature to not critical. None of them are
highly critical, and there are no known exploits for any of the
vulnerabilities, Hofmann says.

One security patch addresses the problem of international domain name
spoofing, in which a hacker could potentially spoof a Web site through
the international characters in the browser. The fix involves putting
"funny-looking characters" in the susceptible area of the browser,
though Hofmann acknowledges it's only a temporary solution. Security
firm Secunia described the IDN spoofing vulnerability in a bulletin
earlier this month.

The update is also meant to prevent cross-site scripting, in which an
attacker gains access to data entered on a Web site by manipulating
the browser.

Firefox 1.0 has been downloaded 27 million times since it was released
on Dec. 7. In the process, the no-cost browser has cut into Microsoft
Internet Explorer's dominant share of the browser market. IE's market
share on Windows PCs had slipped to 92.7% in mid-January, from 96.7%
in June, while Firefox's share rose, according to WebSideStory Inc., a
Web-analytics firm that tracks browser usage. WebSideStory is expected
to release updated Web-browser statistics next week.

More information about the ISN mailing list