The Mozilla Foundation issued a patch for a major security flaw in its Firefox browser on Wednesday and advised people to update their software.
The problem is caused by a buffer overflow in legacy Netscape code still included in the browser for animating GIF images, Chris Hofmann, director of engineering for Mozilla, said. Similar memory problems have affected Mozilla's browsers and Microsoft's Internet Explorer in the past. A malicious attacker could exploit them by creating carefully crafted image files that, when viewed by a victim in a browser, execute a program and compromise the system.
The flaw was discovered by Internet Security Systems, a network protection company, and patched before the public learned of the issue, Hofmann said.
"We are staying ahead and being proactive in fixing the code," he said. "The deciding factor, in this case, was the potential for this: It's a little easier for hackers to turn it into an exploit that could be dangerous."
The Mozilla Foundation released version 1.02 of Firefox on Wednesday to fix the problem and asked that all users to download and apply the patch.
Recently published data has prompted questions about the security of Firefox. Security technology provider Symantec said in this week's Internet Threat Report that during the second half of last year, 21 vulnerabilities affected Mozilla browsers and 13 flaws affected Internet Explorer.
However, only seven of the flaws in Firefox were considered "highly severe," compared with nine in Internet Explorer.
Mozilla's Hofmann pointed to the data as a positive indication that the developers were doing a good job of securing the Firefox code.
"As the data shows, the flaws are of lesser severity," he said. "The kinds of things the Microsoft's browser is vulnerable to is much more worrisome."
On Tuesday, Mozilla president Mitchell Baker predicted that Firefox won't suffer nearly as many security flaws as Internet Explorer and that the increasing popularity of the open-source browser won't change that.
"Microsoft has a proven track record with Internet Explorer," Microsoft said in statement. "We continue to make significant investments in Internet Explorer, including Windows XP Service Pack 2, which features a much stronger security infrastructure to help thwart malware attacks, block suspicious content and eliminate many common spoofing attempts. In addition, Internet Explorer 7 will be a major upgrade that will focus on security."
Mozilla is currently reviewing the roughly 2 million lines of code that makes up the Firefox browser to find similar vulnerabilities to those patched Wednesday. Last August, the organization offered a bounty to anyone who finds significant flaws in the software. The developers are looking with particular intensity at the legacy code that remains in the browser.
"Most of the things that we are looking at and fixing are potential exploits that no one has figured out how to exploit yet," Hofmann said.
So when the hell do the massive numbers of vulnerabilities being reported in firefox EVERY month stop becoming a sign that "mozilla" are doing the right thing and finally get acknowledged as the security in firefox SUX.
-Mozilla offers a "bug bounty". Find a security bug and you get $500 of cash. Plain and simple. It's enough to entice anyone to go hunting for bugs.
-Firefox is open source, so naturally more bugs will be discovered by security firms. Aren't you glad they're being found and fixed by good people, instead of being found and exploited by a few hackers?
-Mozilla doesn't release patches according to a "patch cycle" like Microsoft does. Rather, they release a new version of the browser as it becomes necessary.
[i]The flaw was discovered by Internet Security Systems, a network protection company, and patched before the public learned of the issue, Hofmann said.[/i]
What happened to full disclosure the instance a vulnerability is found? Else, it seems like the way Microsoft works.
if you think Firefox and the others suck so bad. I'm not trying to say people don't have the right to complain about Firefox security. As they say what goes around comes around. I think it's stupid argument on both sides. Very seldom do we hear anything constructive from either side. IE sucks or Firefox sucks aren't arguments to the better of either side. It's just crap talk.
The one thing I don't like about Firefox is having to redownload the entire program (albeit it's not that big) to fix a bug. Patches done right aren't that bad. However, I think Microsoft has made the word Patch into a dirty word.
I think Firefox will have security problems. The question is how fast do they respond to them? And how well do they fix them? Another good question would be how does this compare to the rest of the industry? Some might say that you have different levels of flaws. For me I only know of one level... CRITICAL.
My last comment here is about Microsoft. I know Microsoft has been getting hammered by a lot of people over software bugs. Right or wrong it seams like everyone has a bone to pick with them. Even I from time to time go off ranting about them. My only comment to Microsoft users is if you like their software then keep using it. Not everyone is affected by flaws in software. For those of you tired of Microsoft their are alternitives to almost every application they sell. Some free some not. Like any application though you are going to have to learn it so give yourself some time and learn it.
Yeah right... Depend on what track record you're looking at.
And to all people that feel proven right about Firefox not being secure: give it the same time and goodwill as you give to (the "proven track record" of) IE.
Also, Mozilla/Firefox is build by volunteers, and I feel they have a much better "track record" than the browser that is created by a multi-billion company.
Version 1.0.2 is a complete failure. After installing it, Firefox no longer works and has left remnants that make it impossible to go back to 1.0.1 that did work. Mostly. I have had to move to another browser.
So it's bye bye, Firefiz. Until they fix it. Or I just might stay where I'm at. Firefox has been too problemsatic for me for a while. They have a questionable Bug Fix avenue that makes minor sense.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
-Firefox is open source, so naturally more bugs will be discovered by security firms. Aren't you glad they're being found and fixed by good people, instead of being found and exploited by a few hackers?
-Mozilla doesn't release patches according to a "patch cycle" like Microsoft does. Rather, they release a new version of the browser as it becomes necessary.
What happened to full disclosure the instance a vulnerability is found? Else, it seems like the way Microsoft works.
The one thing I don't like about Firefox is having to redownload the entire program (albeit it's not that big) to fix a bug. Patches done right aren't that bad. However, I think Microsoft has made the word Patch into a dirty word.
I think Firefox will have security problems. The question is how fast do they respond to them? And how well do they fix them? Another good question would be how does this compare to the rest of the industry? Some might say that you have different levels of flaws. For me I only know of one level... CRITICAL.
My last comment here is about Microsoft. I know Microsoft has been getting hammered by a lot of people over software bugs. Right or wrong it seams like everyone has a bone to pick with them. Even I from time to time go off ranting about them. My only comment to Microsoft users is if you like their software then keep using it. Not everyone is affected by flaws in software. For those of you tired of Microsoft their are alternitives to almost every application they sell. Some free some not. Like any application though you are going to have to learn it so give yourself some time and learn it.
And to all people that feel proven right about Firefox not being secure: give it the same time and goodwill as you give to (the "proven track record" of) IE.
Also, Mozilla/Firefox is build by volunteers, and I feel they have a much better "track record" than the browser that is created by a multi-billion company.
So it's bye bye, Firefiz. Until they fix it. Or I just might stay where I'm at. Firefox has been too problemsatic for me for a while. They have a questionable Bug Fix avenue that makes minor sense.