Exploit heightens risk from old Firefox flaw

Computer code that could be used to attack systems with older versions of Firefox has been released on the Internet, security experts have warned.

The exploit code takes advantage of a security vulnerability in Firefox 1.0.1 and earlier versions of the open-source Web browser, the French Security Incident Response Team, or FrSIRT, said in an advisory posted Wednesday.

The bug exists because of an error in the way the older versions of Firefox handle GIF images. An attacker could gain control of a PC by luring the user to a Web page or sending an e-mail containing a specially crafted image, according to FrSIRT, which rates the issue "critical."

Only Firefox 1.0.1 and earlier are vulnerable. The image-parsing problem was fixed in Firefox 1.0.2, which was released in March. Since then, two more Firefox updates have been released, mostly to address security issues. The most recent version is Firefox 1.0.4, which was released in May.

Because the security bug was quashed more than three months ago, the exploit release is less of a concern, said Michael Sutton, a lab director at security company iDefense. "Given the length of time during which patches have been available, I would consider the release of this exploit to be a credible threat, but not critical," he said.

A representative for the Mozilla Foundation, the maker of Firefox, said most of the browser's users have upgraded to version 1.0.4. Mozilla encourages people to check for updates regularly and update their browser when a new version is available, the representative said.

Since the debut of Firefox 1.0 in November, its usage has grown at a rapid pace. Security has been a main selling point for Firefox over Microsoft's rival Internet Explorer. The number of downloads of the software is close to passing the 70 million mark, according to the download counter Spread Firefox Web site. That total represents downloads of all versions, so it doesn't necessarily represent individual users.

Firefox has demonstrated that the mature Web browser market, dominated by Internet Explorer, can be shaken up. IE has begun to see its market share dip slightly--a first in a number of years. Firefox U.S. usage share reached nearly 7 percent at the end of April, according to tracking company WebSideStory.

There's been a terrible mistake

All through the story, they kept saying Firefox. Surely they meant Internet Explorer?

We're continually told that Firefox is the dog's testicles & IE sucks. Or perhaps the story was about Safari, or Opera, or Netscape, or Gopher or any other browser apart from Firefox.

Or could it just be that, as I KEEP on telling y'all......ALL software has bugs.

[Far Star]

Oh Please

Who really doesn't know this? Who do you think your being the ubber guru for on this site? Hint: THIS IS A TECH NEWS SITE! I.e. you are trying to look sooo smart for people that probably know far more than you.

Try and remember:
1) IE has more bugs (and more serious ones) than Firefox (compare http://secunia.com/product/11/ to http://secunia.com/product/4227/ ... 83 vulnerabilities to 19) and that is the key factor, not that one or the other is bug free but what effect the existing (and new) bugs have on security. IE is crap compared to Firefox, in fact they just found a new "extremely critical" bug in IE (see http://secunia.com/advisories/15891/)

2) Everyone knows that software has bugs and I've NEVER seen anyone claim otherwise ... the Firefox team has claimed they are more secure, not bug free.

3) Sarcasm as a tool for debate is only reserved for those that don't know what they are debating about.

Come back when you have something more substantial to say.

Let me guess

It affects Windows versions of Firefox right?

[Andrew J Glina]

Doubt It

Most Firefox flaws would be common to all versions.

[PCCRomeo]

People just need to upgrade!

I can't believe this was made into a story. Before you know it they'll start reporting of flaws in Internet Explorer 4, and Opera 6. I could see them reporting it if, say, there was an OS not supporting Firefox 1.0.4. But there's no OS' not supporting 1.0.4 as 1.0.1.

Well That's It!

Too many bugs in FireFox. They should have thrown away all of the original Netscape source code instead of building on top of it.

I'm switching back to IE. Oh wait, I never left IE because I knew FireFox was a bunch of hype in the first place.

The lesson to take away from this is your crap stinks as much as the next person's so quit hyping it.

If you want to be secure then unplug your computer from the Internet, or in the very least quit visiting the smut sites.

What a load of bs

you my friend are so damn stupid maybe you should know what you are talking about about befor start talking cuz all I hear is a load of bs. but thank you, at least I know that stupid ppl like you still exist.

LOL

Seriously. I'm sticking with IE!