Firefox flaw found: Remote exploit possible
The vulnerability affects the new beta version released today
IDG News Service - Computers running the Firefox browser could be open to remote attack as a result of a buffer overflow vulnerability reported today by security researcher Tom Ferris.
Vulnerable versions of Firefox include all those up to 1.06, and even the just-released Version 1.5 Beta 1 (Deer Park Alpha 2), Ferris wrote in a posting to his Web site, Security Protocols, and to the Full Disclosure security mailing list just after 1 a.m. EDT today.
Ferris said he reported the bug to staff at the Mozilla Foundation, the organization behind the Firefox browsers, on Sept. 4, but had no idea whether the foundation is working on a fix for the problem.
The problem is caused by a bug in the code Firefox uses to process HTML links in Web pages, Ferris said. Links pointing to a host with a long name composed entirely of dashes can be crafted so that Firefox will execute arbitrary code of an attacker's choosing.
Mozilla officials said today that they learned of the issue on Tuesday and are already working on a patch. "We have a preliminary patch for part of the problem, and are in the process of developing a comprehensive solution that will appear in a upcoming release," said Michael Schroepfer, Mozilla's head of engineering. He was not sure when the patch would be released.
Last month, Ferris reported a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer 6 running on Windows XP Service Pack 2. The flaw was acknowledged by Microsoft, but in that instance, Ferris did not reveal any details of the flaw or how it could be exploited.
Computerworld's Sharon Machlis and Todd Weiss contributed to this report.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts