Security flaw affects Firefox, Linux users
The Mozilla Foundation released an updated version of Firefox today
TechWorld.com - A serious security flaw surfaced yesterday that affects the Firefox Web browser and Linux but leaves Microsoft's Internet Explorer and Windows unscathed.
The bug is in the Linux shell scripts that Firefox and the Mozilla browser suite use to parse Web addresses supplied via the command line or by external programs such as e-mail clients. Researcher Peter Zelezny discovered that commands included in the URL and enclosed in backticks (') were executed by the Linux or Unix shell.
The flaw doesn't require Web interaction to be effective. If a user with affected versions of Firefox or Mozilla set as the default browser clicks on a maliciously crafted URL in an e-mail program, for example, malicious commands would be executed before the browser was launched.
Security advisory firms Secunia and FrSIRT both gave the flaw their most severe ratings.
The Mozilla Foundation, which develops Firefox and other Mozilla-based software such as the Thunderbird e-mail client, today released a Firefox update -- Version 1.0.7 -- fixing the flaw, as well as a week-old security bug in the handling of international domain names (IDN). The update can be found on the Firefox Web site.
The flaw arrives amid mounting challenges for Firefox, which has gained a significant user base in the past few months, mostly at the expense of Internet Explorer. A report from Symantec Corp. earlier this week revealed that nearly twice as many flaws had been discovered in Firefox as in Explorer over the first six months of this year (see "Symantec report sparks safe-browser debate"). A few days earlier, developers were forced to rush out a patch for a critical hole in Firefox involving IDN parsing.
Linux is also generally seen as a lower-risk platform than Windows, partly because it is less widely used on the desktop and therefore isn't targeted as often. The security picture is changing, though, according to the Symantec report, with platforms like Linux and Mac OS X coming under increasing scrutiny by potential attackers.
Tristan Nitot, president of Mozilla Europe, has said Symantec's figures don't tell the whole story. For one thing, Firefox patches arrive faster than those for Explorer, he said, pointing out that Microsoft won't even issue its monthly patch in September. More flaws are being discovered in Firefox in the short term because of its newfound popularity, but overall, Nitot said, Explorer's flaws are more numerous and more severe.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts