Mozilla Issues Patches for Firefox Installation Bugs

By Jennifer LeClaire - www.LinuxInsider.com - Part of the ECT News Network
05/12/05 10:47 AM PT

Chris Hofmann, director of engineering of Mozilla Foundation, said staying ahead of malicious code writers is a continual process for the open-source software group. "We want to continue to encourage security researchers and experts to help us improve the browser," he told LinuxInsider.

Close only counts in horseshoes. In business, close isn’t good enough. When your employees and customers are looking for information, they need a search engine that delivers pinpoint accuracy. Download a FREE 30-day trial of Verity Ultraseek and get accurate results with your enterprise search.

The Mozilla Foundation has readied security patches to thwart what security firm Secunia reported earlier this week as two "extremely critical" flaws in its Firefox browser.

Secunia said the vulnerabilities could be exploited by malicious people who wish to take control of victims' computers. Firefox executives are hoping the firm will downgrade the classification once the patches are fully distributed.

Chris Hofmann, director of engineering of Mozilla Foundation, told LinuxInsider that fixes are currently available in 12 of the 37 languages Firefox offers. Fixes for the remaining languages will be ready in the next 24-28 hours.

"We provided a workaround earlier this week. We advised users to disable the list of sites from which they allow software updates," Hofmann said. "The fix that we put out last night allows users to turn that list back on."

Reviewing the Bugs
The first problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list, Secunia said. This can be exploited to execute arbitrary HTML and script code in a user's browser session.

The second problem is input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. Secunia said this can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL. Successful exploitation requires that the site is allowed to install software.

Hofmann said staying ahead of malicious code writers is a continual process for the open-source software group. "We want to continue to encourage security researchers and experts to help us improve the browser," he said. "These contributors help us create a strong architecture around the browser that will protect us from serious exploits from ever appearing."

'All-Eyes' Development Approach
Open-source software companies like Mozilla have an advantage over commercial companies, said Hofmann, because the availability of the source code opens the door for new perspectives.

"We actually have a very passionate community of developers that are working on security and privacy," he said. "When these types of reports come in, they respond very quickly to help us get the patch put together and tested and out to users."

In the browser wars, the bottom line is becoming more about security on a World Wide Web full of hackers, crackers and online thieves, according to industry watchers. Jupiter Research analyst Joe Wilcox told LinuxInsider that it remains to be seen which browser offers the best protection.

Providing Cover
"There's the argument that the open-source, all-eyes approach keeps the software more secure in the first place and provides more resources for fixing problems when they are uncovered," he said. "The commercial argument says because outsiders generally don't see the source code it's more difficult for them to uncover or generate vulnerabilities. The commercial camp says it is also able to respond faster.

All debate aside, Wilcox said it boils down to quick response times when bugs are discovered. In response, Hofmann said Mozilla is committed to that quick response with the help of its growing community.

The new Firefox 1.0.5 has been released with security updates at http://www.mozilla.org/products/firefox/

The new Mozilla Suite has been released at http://www.mozilla.org/products/mozilla1.x/

This is the first new release since May. It is the equivalent of Firefox 1.0.6 and has all the security updates.

Thank You mycroft i havent been there for awhile--i have also been using the free Opera its pretty good but kinda complicated for a real old house painter like me

The new Firefox 1.0.7 can be downloaded from http://www.mozilla.org/products/firefox/
Quoting from MozillaZine at http://www.mozillazine.org/


If you followed the suggestion to disable IDN on Firefox 1.0.6 then you will have to reenable IDN manually by toggling network.enableIDN back to TRUE. The config settings on your browser are not changed by updates, so any time you change a setting to provide temporary protection from a security bug, you have to change it back once the bug is fixed.