Mozilla denies new Firefox bug is security risk
Hackers trawling for clues in Bugzilla tracker, say some Firefox developers
Computerworld - Mozilla is denying that a bug that crashes Firefox 3.5 is a security vulnerability, countering earlier reports that the company's latest browser contained a flaw even though it had just been patched.
In a Sunday post to Mozilla's security blog, Mike Shaver, the company's vice president of engineering, said that the bug, which had originally been disclosed on the milw0rm hacker site, is not a vulnerability. "The reports by press and various security agencies have incorrectly indicated that this is an exploitable bug," Shaver said. "Our analysis indicates that it is not, and we have seen no example of exploitability."
Exploit code hit milw0rm last Wednesday. Firefox developers immediately logged the bug into Bugzilla, Mozilla's change- and bug-tracking database.
The bug, continued Shaver, does crash Firefox 3.5 -- and the recently-released 3.5.1 -- in some situations. But there's no way for an attacker to exploit that by injecting malicious code on the machine. The bug can crash Windows, Mac and Linux editions of Firefox, including Firefox when it's being run on the still-unfinished Windows 7.
Both Shaver in his blog post and developers on Bugzilla noted that the Firefox crash on Macs was due to a flaw in Apple's operating system, specifically the ATSUI system library. "We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code," Shaver said.
Mozilla developer Vladimir Vukicevic countered that it was unlikely Apple would fix the problem. "We've reported this and similar bugs in the past to Apple; they have so far had no interest in fixing such bugs in their font rendering subsystems, especially if they're in ATSUI and not CoreText," said Vukicevic on Bugzilla.
Just last Thursday, Mozilla patched Firefox 3.5 for the first time, issuing a fix for a critical vulnerability in TraceMonkey's just-in-time (JIT) compiler. In the run-up to creating a fix for that flaw, Mozilla developers speculated that the hacker had dug through Bugzilla to find information that helped him exploit the vulnerability.
Mozilla repeated the charge in the entry for the newest bug. "Sam and Reed think that someone might be trawling Bugzilla in order to develop exploits," said Mike Beltzner, the director of Firefox, in a comment added to the Bugzilla thread. "Not sure what to do about that." The same hacker who posted exploit code last week was one of two who claimed to have created the newest attack code.
Gal declined to suggest solutions about hacker trawling. "I am not comfortable talking about what goes wrong and why since that might reveal other, potentially even more severe problems in some cases," he said.
There is as yet no fix for the crash bug now being investigated.
According to Mozilla's Web site, it's planning to release another update to Firefox -- tagged as 3.5.2 -- by the end of this month or in early August.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts