Firefox flaw found: Remote exploit possible
The vulnerability affects the new beta version released today
IDG News Service - Computers running the Firefox browser could be open to remote attack as a result of a buffer overflow vulnerability reported today by security researcher Tom Ferris.
Vulnerable versions of Firefox include all those up to 1.06, and even the just-released Version 1.5 Beta 1 (Deer Park Alpha 2), Ferris wrote in a posting to his Web site, Security Protocols, and to the Full Disclosure security mailing list just after 1 a.m. EDT today.
Ferris said he reported the bug to staff at the Mozilla Foundation, the organization behind the Firefox browsers, on Sept. 4, but had no idea whether the foundation is working on a fix for the problem.
The problem is caused by a bug in the code Firefox uses to process HTML links in Web pages, Ferris said. Links pointing to a host with a long name composed entirely of dashes can be crafted so that Firefox will execute arbitrary code of an attacker's choosing.
Mozilla officials said today that they learned of the issue on Tuesday and are already working on a patch. "We have a preliminary patch for part of the problem, and are in the process of developing a comprehensive solution that will appear in a upcoming release," said Michael Schroepfer, Mozilla's head of engineering. He was not sure when the patch would be released.
Last month, Ferris reported a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer 6 running on Windows XP Service Pack 2. The flaw was acknowledged by Microsoft, but in that instance, Ferris did not reveal any details of the flaw or how it could be exploited.
Computerworld's Sharon Machlis and Todd Weiss contributed to this report.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts