Mozilla denies new Firefox bug is security risk
Hackers trawling for clues in Bugzilla tracker, say some Firefox developers
Computerworld - Mozilla is denying that a bug that crashes Firefox 3.5 is a security vulnerability, countering earlier reports that the company's latest browser contained a flaw even though it had just been patched.
In a Sunday post to Mozilla's security blog, Mike Shaver, the company's vice president of engineering, said that the bug, which had originally been disclosed on the milw0rm hacker site, is not a vulnerability. "The reports by press and various security agencies have incorrectly indicated that this is an exploitable bug," Shaver said. "Our analysis indicates that it is not, and we have seen no example of exploitability."
Exploit code hit milw0rm last Wednesday. Firefox developers immediately logged the bug into Bugzilla, Mozilla's change- and bug-tracking database.
The bug, continued Shaver, does crash Firefox 3.5 -- and the recently-released 3.5.1 -- in some situations. But there's no way for an attacker to exploit that by injecting malicious code on the machine. The bug can crash Windows, Mac and Linux editions of Firefox, including Firefox when it's being run on the still-unfinished Windows 7.
Both Shaver in his blog post and developers on Bugzilla noted that the Firefox crash on Macs was due to a flaw in Apple's operating system, specifically the ATSUI system library. "We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code," Shaver said.
Mozilla developer Vladimir Vukicevic countered that it was unlikely Apple would fix the problem. "We've reported this and similar bugs in the past to Apple; they have so far had no interest in fixing such bugs in their font rendering subsystems, especially if they're in ATSUI and not CoreText," said Vukicevic on Bugzilla.
Just last Thursday, Mozilla patched Firefox 3.5 for the first time, issuing a fix for a critical vulnerability in TraceMonkey's just-in-time (JIT) compiler. In the run-up to creating a fix for that flaw, Mozilla developers speculated that the hacker had dug through Bugzilla to find information that helped him exploit the vulnerability.
Mozilla repeated the charge in the entry for the newest bug. "Sam and Reed think that someone might be trawling Bugzilla in order to develop exploits," said Mike Beltzner, the director of Firefox, in a comment added to the Bugzilla thread. "Not sure what to do about that." The same hacker who posted exploit code last week was one of two who claimed to have created the newest attack code.
Gal declined to suggest solutions about hacker trawling. "I am not comfortable talking about what goes wrong and why since that might reveal other, potentially even more severe problems in some cases," he said.
There is as yet no fix for the crash bug now being investigated.
According to Mozilla's Web site, it's planning to release another update to Firefox -- tagged as 3.5.2 -- by the end of this month or in early August.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Firewall Buyers Guide Operate as the core of your network security infrastructure
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts