February 8, 2006 11:23 AM PST

Exploit turns up heat for Firefox flaw

Related Stories

Security update out for Firefox 1.5

February 2, 2006

Attack code out for old Firefox bug

December 13, 2005

Mozilla issues Firefox alert

December 12, 2005

Mozilla takes wraps off Firefox 1.5

November 29, 2005
Computer code that could be used in cyberattacks on Firefox users has been released, increasing the urgency for people to upgrade to the latest version of the Web browser.

The two pieces of exploit code, posted online earlier this week, take advantage of a security vulnerability in Firefox that Mozilla patched in an update Thursday. In response to the exploit release, the browser maker on Tuesday upgraded the severity rating of the flaw from "moderate" to "critical," its most serious rating.

"This exploit was published after we released the update," said Mike Schroepfer, vice president of engineering at Mozilla. "Most of our users had already been upgraded by the time this exploit was published."

The code could be used to commandeer computers running a vulnerable version of the open-source Web browser on Linux or Mac OS X systems. It has been published as part of the Metasploit Framework, a widely used hacking tool.

The specific flaw exists only in Firefox 1.5 and was fixed in Firefox The problem could cause a memory corruption an outsider could use to run code on a vulnerable PC, according to a Mozilla advisory. The corruption would come from calling the "QueryInterface" method of the Location and Navigator objects in the browser.

Firefox users have already been urged to install the patched version of the browser. Security monitoring company Secunia last week rated the Firefox update "highly critical," and Mozilla has pushed out updates.

If for some reason users have not upgraded, they should definitely do so, Schroepfer said.

See more CNET content tagged:
flaw, Mozilla Corp., Firefox, Web browser, security


Join the conversation!
Add your comment
FF now anyone? lol
Ok, where's all the bashing now. Seems IE has exploit, a few suggested the unbreakable FF. Makes sense to suggest IE now? lol
Posted by Cuto (12 comments )
Reply Link Flag
The patch for this problem is out buddy. All you have to do is when FF tells you there is an update, you just click to install it. Most people using FF click to apply the first time they got the prompt. Were as with IE, the exploit is out before the patch, and half the people don'e apply it or even know its out.
Posted by (43 comments )
Link Flag
What's more funny, it seems that the exploit only work on the "unbreakable" Linux and Mac OSes.
Posted by FutureGuy (742 comments )
Link Flag
Bash, Bash, Bash
Firefox has a Flaw! A patch is available! Bash, Bash, Bash! Happy?

The fact it has seen a security exploit is both a negative and positive event. It's negative in that flaws are not good and it reflects on the security of the browser that was touted as built around security. It is positive that this newcommer browser has garnered so much attention in the short lifespan to be considered worthy of the attention of the scum hackers.

Welcome to the big time, Firefox, and take your place alongside Windows, IE, OSX, Linux and others that have made enough impact to be hacked at in this imperfect world of software written by humans.
Posted by Seaspray0 (9714 comments )
Link Flag
Max OS X
Take your Macintosh to the max! (I assume that this was supposed to be "Mac OS X".)
Posted by eBob1 (188 comments )
Reply Link Flag
Patch Before, Not After
That's one of the many reasons I prefer Firefox, compared to IE. They provide a patch before the malicious code strikes, not the other way around. Downloaded Firefox a few days ago---so I have nothing to worry about with this exploit.
Posted by Michael G. (185 comments )
Reply Link Flag
not always...
...FF bug list is pretty long, in this case they were just lucky. And moreover most virus writers are either spammers going after the bigger pot or overzealous Linux crusaders.
Here's a full bug list <a class="jive-link-external" href="https://bugzilla.mozilla.org/buglist.cgi?&#38;product=Firefox&#38;bug_status=UNCONFIRMED&#38;bug_status=NEW&#38;bug_status=ASSIGNED&#38;bug_status=REOPENED&#38;bug_status=RESOLVED&#38;resolution=WONTFIX&#38;resolution=---" target="_newWindow">https://bugzilla.mozilla.org/buglist.cgi?&#38;product=Firefox&#38;bug_status=UNCONFIRMED&#38;bug_status=NEW&#38;bug_status=ASSIGNED&#38;bug_status=REOPENED&#38;bug_status=RESOLVED&#38;resolution=WONTFIX&#38;resolution=---</a>
Posted by FutureGuy (742 comments )
Link Flag
That's so silly...
So you have a buffer of only one bit in your brain?
There has been no zero day exploits for IE in the last year. There was the WMF flaw, but that was a Windows flaw, not IE, and it affected you even if you used Firefox.
OTOH, Firefox has had at least one Zero Day exploit. Not the case of this last one, but that doesn't magically make past incidents disappear.
So the argument goes actually the other way. If you count zero day exploits, IE has a big edge over FF.
Now, the whole point is moot. The interesting part of this is not that FF has an exploit. It's that all the MS bashers that have nothing else to do than to criticize anything Microsoft does now have to go on claiming what they always criticize MS fanboys for saying. All software has flaws. It's the ability to handle them effectively and quickly that matters. All other considerations are of little importance.
Posted by Hernys (744 comments )
Link Flag
Remember one thing--patches are available as soon as a problem is discovered. This is unlike ms windoze. The Mozilla team will always make updates and patches ready ASAP once a security issue surfaces its ugly head.
Posted by solarflair (35 comments )
Reply Link Flag
How does this virus "commandeer" Linux? I thought you had to crack root.
Posted by directrix (1 comment )
Reply Link Flag
Perhaps it will if you are logged in as root and browsing the internet.

Not logging in with an administrative account is a big plus in security. I wish I could convince windows users to follow the same practice that many linux users do out of habit... log in with a generic user account unless you need administrative priveledges. Remember, security is not just the responsibility of the OS.
Posted by Seaspray0 (9714 comments )
Link Flag
Not another Flaw :-(
Another day another patch when will they ever get it right.
Posted by (19 comments )
Reply Link Flag
Software will always leave room for improvement. No product is ever entirely perfect and software inherently differs in many ways from physical products in ways that make it more difficult to get "just right".

In software we also struggle with the fact that it's a young industry, relative to other engineering disciplines. There is a growing movement in the industry, especially at the university level, to work towards remedying those issues with the introduction of formal engineering practices into software. It's slow going though because there is an existing mentality of corporate rebellion (if the term rebellion can really be applied to throngs of nerds) and informality already ingrained in the current crop of developers. We are already seeing more college grads that come from "Software Engineering" programs, rather than traditional computer science studies.
Posted by someguy389 (102 comments )
Link Flag
Firefox vs IE Security
Were Firefox is most secure is as a spyware stopper. Since I switched I went from up to 12 a week per each of the 9 PC's in my network in a week to 1 or 2 every six months per unit.

So you can't go to a site that uses ActiveX, complain to the site and use Firefox.
Posted by slim-1 (229 comments )
Reply Link Flag
THAT was why Firefox popped up for upgrading?! Hmph, had the patch before I knew there was an exploit.

Pre-emptive fixing, gotta love it! :)
Posted by dragonbite (452 comments )
Reply Link Flag
Just in time to have people switch back to IE7
Trying out the beta right now, its pretty sweet, tab preview is sweet.

and I guess now you can say its just about as secure as FF, but since FF has exploits and IE has exploits and they will all continue to have exploits then really who cares?

IE7 baby

Its great: <a class="jive-link-external" href="http://www.microsoft.com/windows/ie/ie7/default.mspx" target="_newWindow">http://www.microsoft.com/windows/ie/ie7/default.mspx</a>
Posted by mcepat (118 comments )
Reply Link Flag
MS updates IE after 3 years
It's funny it took this long for Microsoft to update their browser, copycats of Mozilla and Opera with tabbed browsing.
Posted by pentium4forever (192 comments )
Link Flag
Tab browsing is nothing new for opera, mozilla and firefox. windoze is and expert at stealing eye-candy from osx and nix systems. They have no choice because they are being left behind. However, eye-candy will not replace the armor protecting all nix and BSD platforms. I have been a Linux user since Jan. 2000 and may main server, router run Fedora Core. Nightly updates are performed via apt-get which keeps my system rock-solid. Gnome and KDE are GUI's with more eye-candy than most need. (TAR), tape archive files give much greater freedom to compile source MY-WAY...Even using the terminal with Lynx I can surf the web and have more than one window in view. Konqueror in KDE is a great web browser with tabbed windows.
Have a great day...
Posted by solarflair (35 comments )
Link Flag
I'm also running the Beta, and it's certainly an improvement, but
there are still plenty of OTHER reasons to use Firefox - the main
one being it's commitment towards standards compliance.

MS users typically have a negative attitude towards this - 'it
works for me and 90% of the world, so who cares' - which is one
reason the other 10% of people get so annoyed. If MS would
make their browser standards compliant (breaking all those IE
only web pages in the process, so not likely) then a lot of that
anger would go away, because people would have a free choice
in what they use - at the moment, their choice is limited by the
action of others.

'Quit whining and use IE' seems to be the line, but that's holding
back innovation - I don't see IE on my PSP or PS2 or set-top box
or PDA or Phone - ALL of which can connect to the Internet.

There's also the fact that Firefox is massively extensible, and
rapidly changing, while it's taken years to get tabbed browsing
into IE. You get a similar thing happening with Apple's 'Safari'
browser - new features only come along with a new version of
the OS, while other browsers innovate around it.

Oh yes - as my other post says - schaudenfreude is no basis for
a security policy.
Posted by JulesLt (110 comments )
Link Flag
...and have your antivirus disabled. Cool feature, esp. now since MS comes out with their own antivirus junk.
Posted by Steven N (487 comments )
Link Flag
Firefox is still more secure than IE. It fixes flaws very quickly.
Posted by pentium4forever (192 comments )
Reply Link Flag
FF being more secure than IE is not a myth, parts of it is true. No ActiveX for one thing which is a big difference. Futureguy's post is a myth.
Posted by pentium4forever (192 comments )
Reply Link Flag
I second your post!
Yeah, the funny thing is Microsoft hasn't had a major update to IE since 2002. Now that FF is gaining popularity, MS is getting a little scared and now choose to take action. They are copying Mozilla for tabbed browsing but since they are behind, they have no choice.
Posted by pentium4forever (192 comments )
Reply Link Flag
Just good business
This isn't funny, it's expected and smart business. MS didn't update IE because they had no reason to. It's not a sellable product, so there was no money to be made from new versions. Why invest money in significant improvements when no one is challenging you? Now that there is a significant challenger for market share, MS has a reason to improve their product. I'm more tempted to blame the rest of the industry for taking so long to create a product that can compete than I am to blame MS for being stagnant on this one. Development costs money and they have shareholders to satisfy. MS doesn't have an ethical obligation to provide us with new features and software, especially software we expect to be free. On the other hand, they do have an ethical obligation to their shareholders.
Posted by someguy389 (102 comments )
Link Flag
copying Mozilla??
where have you been? Tabbed browsing has been around way before Mozilla care around. There were even plugins available for IE that allowed tabbed browsing.
Posted by FutureGuy (742 comments )
Link Flag
Mozilla are downplaying vulnerabilities again!
They already did that in the past (see: <a class="jive-link-external" href="http://aviv.raffon.net/2006/02/07/MoreMozillaSecurityAdvisoriesMoreVulnerabilitiesDownplay.aspx" target="_newWindow">http://aviv.raffon.net/2006/02/07/MoreMozillaSecurityAdvisoriesMoreVulnerabilitiesDownplay.aspx</a> ).
Posted by _smigol (1 comment )
Reply Link Flag
Stealing reply
Well I suppose it isn't maybe stealing but it just cracks me up that now IE decides to upgrade their browser right when FF starts making a mark in the browser world. 3 years and now IE will finally get a major upgrade. The update for SP2 for XP wasn't a major update.
Posted by pentium4forever (192 comments )
Reply Link Flag
Guess I'll stick with IE, then
There's been a lot of FF security problems of late. I think I'll just stick with IE, which has never given me any problem in that area.

I figured once FF got some market share and thus started to become a target for hackers that this would start happening.
Posted by (402 comments )
Reply Link Flag
I still prefer FF
I never had much security trouble with IE, but I don't with FF either, and I still get a lot less spyware and other crap with FF, so I'll stick with it for now.
Posted by Musmanno (101 comments )
Link Flag
Look up each and then decide for yourself which is safer. Which one has more outstanding issues?
Posted by bemenaker (438 comments )
Link Flag
Silly boy
The main reason Firefox is more secure than IE is that IE uses Active-X. That is the most insecure part of the browser. This allows drive-by installation of spyware on your system.

Firefox, especially if you run the NOSCRIPT extension is pretty much impervious to these types of threats.

We will see what IE7 has to offer, but unless they drop active X they are going to remain vulnerable.

There is no question, for the average user, FireFox is safer than IE.
Posted by Classic Software (15 comments )
Link Flag
This has become ridiculas.
I went through reading all these post bashing one side or the other and even commented on a few of them.

This has become ridiculas, not that I expected anything more, but what you have is one side hell bent on proving that IE is just as safe and secure as anything else out there and the other side hell bent of proving them wrong. The fact is IE can be just as secure as Firefox and Firefox can be just as insecure as IE. It does boil down to how each are used and updated. Firefox is updated faster generally than IE. Of course one could say that as long as IE has been out without any significant updates that it should be rock solid and bulletproof.

I have gone from looking so much at security and all the bells and whistles of a browser to looking at it's useability, stability, and, as a web developer, codeability.

Here's my assesment. IE is a simple interface that most people are use to. It renders most pages as long as they are not to heavy into the W3C standards. Most people will be just as happy with IE as I am with Firefox. From a web developers point of view. I hate IE for not even comming close to trying to be more standard compliant.

Firefox and Opera are both good browsers that are lightweight and full of power. I think they are both far more functional than IE, but that's just a matter of opinion. I like the way Firefox and Opera render pages and Opera has a lot of useful extras. From a web developers point of view it's nice to create a w3c compliant page and have it actually render correctly (I do mean more than basic HTML and basic CSS 1).

I say use what you like. If you like IE use it. If you don't use something else.
Posted by System Tyrant (1453 comments )
Reply Link Flag
Right ON!
Good post.
I use IE - won't change.
I like German beer - won't change.
I like pretty women - won't change.
So, even though they all have pros/cons - I know what I like. Why does everyone want to talk others into changing? If you are truly happy with what you have, common behavior is to keep it for yourself!

LOL - later.
Posted by Sharkster (16 comments )
Link Flag
Techie's Boxing Ring
For that comment you should be awarded the practical thinking award of the month. I'm also fascinated by how passionate people can get concerning their web browsers and/or their OS---almost as if they're married to them. Some people get almost as angry and insulted as if you've insulted their wife or girlfriend. I said it well once---"Everybody wants their 15 minutes of fame or flame". Everybody wants to be the "smart" person on the block, until the next "smart" person comes along and knocks 'em off their perch---it makes for fun and interesting reading, but as my comments are included above too...

I've come to the conclusion that this is a form of techie's boxing ring. Nobody here is (probably) a real in-the-ring boxer like Mike Tyson, so it relieves the stress to believe we're "fighting" about something that is cerebrally important...and maybe it is. The question I've had is how much of a difference does it make? Is anyone here going to switch from IE to Firefox, or vice-versa? When it's all said and done, and CNET's article goes in the pile three days later, will anything have been accomplished?

Pass around the peace pipe, folks---be satisfied and celebrate the technology you have.
Posted by Michael G. (185 comments )
Link Flag
Please read my earlier comment. As long as IE has active-x, it will remain less secure than FireFox.

As someone who removes Spyware from other peoples PC's, IE remains more vulnerable to Spyware.
Posted by Classic Software (15 comments )
Link Flag
Just for fun.
Firefox 1.x vulnerabilities
<a class="jive-link-external" href="http://secunia.com/product/4227/" target="_newWindow">http://secunia.com/product/4227/</a>

Internet Explorer 6.x vulnerabilities
<a class="jive-link-external" href="http://secunia.com/product/11/" target="_newWindow">http://secunia.com/product/11/</a>

An interesting read for those of you who like statistics.
Posted by System Tyrant (1453 comments )
Reply Link Flag
That is Fun
Posted by random-rambler (11 comments )
Link Flag
Very Fun...
I liked the pie graphs the best.
Posted by Michael G. (185 comments )
Link Flag
Schadenfreude is not a great security policy. I don't really
understand the attitude of Microsoft fans in delighting in seeing
flaws in other people's products.

It doesn't help improve the situation for them one bit to know
that BOTH major browsers on the Windows platform are flawed -
especially when they are probably less protected than other
systems once someone compromises the browser. (I say
probably, because people running a well-configured XP Pro
installation will be safer).
Posted by JulesLt (110 comments )
Reply Link Flag
Especially if they run XP Pro ...
... disconnected from the Internet. IF WIndows and IE aren't the
problem, then the Internet must be.
Posted by Earl Benser (4310 comments )
Link Flag
Thanks Matthew - this is something many people are so
ignorant of, and for some strange reason hostile to - that the
biggest problem with IE is that it doesn't comply with standards.

It might seem a stupid thing to be concerned about, when
'everyone has IE' but it becomes a vicious circle. New devices like
the Sony PSP have wireless connection and a web browser, but
cannot access many badly written pages. As the screens on
mobile phones grow, this will only become more of an issue.

Equally, browser development has also been held back - the
other browsers support standards like SVG and the 'canvas' tag,
which could really improve the graphical experience of the web,
but instead the only way to achieve these things is through
using the Flash plugin. Again, your typical user will say 'well,
that's not a problem, more people have Flash than IE' - except
your PSP users and a lot of phone users.

The point is that ANYONE could write a browser that works to
standards. (It is up to them how good a job they do of it). If you
want a Flash player or IE, you need to wait for Macromedia or
Microsoft to write it for you - and they may decide at any point
to cease support.

If you can't see how this hurts innovation, then I'm afraid you're
lacking in imagination.
Posted by JulesLt (110 comments )
Reply Link Flag
Standards...not always best
The problem with standards often ends up being whether they're strict or loose. Strict standards tend to defeat innovation in technology because you often have to "develop" by committee. In the case of net technologies, innovation by the market has been extremely successful. And when combined with a loose coupling to the W3C standards, the web has, for the most part worked fine.

Companies like Adobe/Macromedia (Flash) Apple (QuickTime) and others have every right to develop products for the browser. This should not interfere with the W3C developing standards for other technologies like SVG. As a matter of fact, SVG development was driven by the introduction of other graphic formats by Microsoft, Adobe, Macromedia and Sun.

The above points out that many standards derive from non-standard ideas and successes. You could argue that, in many cases, it is non-standard code that drives the innovation that leads to standard technology.

One recent example is AJAX. Javascript was not a standard when it began and it took awhile to become a standard. XMLHTTPREQUEST was a non-standard success invented by Microsoft and that to took awhile to become part of standard. In the case of IE7, MS has moved closer to the W3C standards for CSS, and according to the IE team, will keep working to meet those standards.

But I hope it doesn't stop MS or any other company from introducing technology that is worthwhile but doesn't meet the standards dujour.
Posted by robertcampbell2 (103 comments )
Link Flag
FF Patched in a day, IE in months
if IE even gets patched or acknowledged that it has bugs...... I'll stick with FF.
Posted by likes2comment (101 comments )
Reply Link Flag
DOS was purchased from Tim Patterson for 50k. Gates bought QDOS (quick and dirty operating system) after IBM failed to get CP/M (Killdall wouldn't sign IBM's NDA).
Posted by imric1 (26 comments )
Reply Link Flag
Feature I'd like
A large majority of people will eventually visit a website that is malicious and changes their broswer settings without their consent. IE is more vulnerable in this due to most people having the active X turned on. Microsoft has done alot recently to sandbox this behavior but even so it can happen. As for firefox, I'm not sure how vulnerable it is but I'm inclined to believe less so than IE because of the lack of active X.

Active X in itself does allow you to do some nice things so it's a matter of preference if you want to use it or not, but many people do.

I would love to see a feature in all browsers that allows you to RESET it to the day it was born. I would include replacing all the files associated with it as well. Too often the only recourse is reloading the operating system. Flaws are something I expect in all software; I'd just like the ability to remove the nasty effects of those flaws easily.
Posted by Seaspray0 (9714 comments )
Reply Link Flag
I'm not sure how effective it would be
But you could try using the repair feature from Add/Remove programs sometime with I.E. it may clear a few things up.

The problem with alot of the malicous stuff (in windows)though is that it adds entries to your run key and it just gets reinstalled the next time you reboot. So without cleaning that up (something I would not suggest w/o being familure with it first) you would just get the same poblems over again.
Posted by Bob Brinkman (556 comments )
Link Flag
I thought fireflops was immune to viri
at least that's what the blind followers were always saying....................
Posted by MS789 (17 comments )
Reply Link Flag
Not quite.
You will always be vulnerable if you have an
unstable platform...

IE + Windows = Bad
IE + Linux = Good
Firefox + Windows = OK
Firefox + Linux = Excellent
Posted by Johnny Mnemonic (374 comments )
Link Flag
Think again....
.... no one ever said that..

Linux is nowhere near the security problem that Windows is, and
FireFox, while not perfect, blows IE out of the water for security.
Simple facts of life. Get yours straight.
Posted by Earl Benser (4310 comments )
Link Flag
Hmm, I found a new 'flaw ' this morning
I was using IE this morning to download the latest msi installer from the MS site (the browser autoloads from .NET installer despite having FF as default). WinPatrol tells me that a RunOnce is being initiated, BEFORE I Clicked anything on the page. Are some 'flaws' voluntary? Or do I just need to avoid bad sites?
Posted by S7777 (2 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.