Firefox flaw found: Remote exploit possible
The vulnerability affects the new beta version released today
IDG News Service - Computers running the Firefox browser could be open to remote attack as a result of a buffer overflow vulnerability reported today by security researcher Tom Ferris.
Vulnerable versions of Firefox include all those up to 1.06, and even the just-released Version 1.5 Beta 1 (Deer Park Alpha 2), Ferris wrote in a posting to his Web site, Security Protocols, and to the Full Disclosure security mailing list just after 1 a.m. EDT today.
Ferris said he reported the bug to staff at the Mozilla Foundation, the organization behind the Firefox browsers, on Sept. 4, but had no idea whether the foundation is working on a fix for the problem.
The problem is caused by a bug in the code Firefox uses to process HTML links in Web pages, Ferris said. Links pointing to a host with a long name composed entirely of dashes can be crafted so that Firefox will execute arbitrary code of an attacker's choosing.
Mozilla officials said today that they learned of the issue on Tuesday and are already working on a patch. "We have a preliminary patch for part of the problem, and are in the process of developing a comprehensive solution that will appear in a upcoming release," said Michael Schroepfer, Mozilla's head of engineering. He was not sure when the patch would be released.
Last month, Ferris reported a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer 6 running on Windows XP Service Pack 2. The flaw was acknowledged by Microsoft, but in that instance, Ferris did not reveal any details of the flaw or how it could be exploited.
Computerworld's Sharon Machlis and Todd Weiss contributed to this report.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!