September 9, 2005 5:32 PM PDT

Mozilla offers temporary fix for Firefox flaw

Responding to the disclosure of a serious Web browser flaw, the Mozilla Foundation offered on Friday a temporary fix to protect Firefox and Mozilla users.

The downloadable fix protects against attacks that take advantage of a new, unpatched flaw that could let attackers secretly run malicious software on users' PCs. The flaw was disclosed late Thursday by security researcher Tom Ferris, sending Mozilla staff into damage-control mode.

The problem has to do with the way the Firefox and Mozilla browsers handle International Domain Names, or IDNs, said Mike Schroepfer, director of engineering at Mozilla. IDNs are domain names that use local language characters. The fix disables support for such Web addresses, he said.

"This is a temporary work-around just to deal with the immediate issue," Schroepfer said. "We're working on a future release in which we will actually fix the problem and re-enable the IDN feature." Switching off IDN support impacts a subset of Firefox and Mozilla users who actually use such special domain names, he said.

Though there is no known attack that takes advantage of the flaw, Mozilla advises Firefox and Mozilla users to disable IDN. "Luckily we do not have any known use of this exploit, but it is fairly critical if there were to be (an attack), so this is a recommended download," Schroepfer said.

Mozilla expects to fix the vulnerability in beta 2 of Firefox 1.5, the next release of the open-source Web browser. Beta 2 is due Oct. 5 and the final release of 1.5 is expected by year's end, Schroepfer said.

In addition to the downloadable fix, Mozilla on its Web site also offers instructions to manually disable IDN: Type "about:config" in the address bar, hit Enter; type "network.enableIDN" in the filter toolbar, hit Enter; right-click the "network.enableIDN" item and select Toggle to change value to false.

IDNs have caused trouble for Mozilla in the past. A Firefox security update in February fixed a flaw that would allow domain spoofing using the special domain names. A spoofed link would seem to be a legitimate address, but instead of taking the victim to the trusted site, the link would lead to a phony Web site.

Though vulnerabilities in Microsoft's Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws. Security has been a main selling point for Firefox over IE, which has begun to see its market share dip slightly--for the first time in years.

However, Firefox has had its own security woes. Several serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don't exist.

11 comments

Join the conversation!
Add your comment
It's easy to fix,...
...if you don't need to use international domain names (i.e. most users that use a language from Western Europe).

From the article "...to manually disable IDN: type 'about:config' in the address bar, hit enter; type 'network.enableIDN' in the filter toolbar, hit enter; right-click the 'network.enableIDN' item and select toggle to change value to false."
Posted by Shoa_Creek (79 comments )
Reply Link Flag
You can Toggle it...
back and forth whenever you need to. It's advisable to keep the value at False because the challenge will be irresistable to some people to see if they can waltz through your system...
Posted by Des Alba (68 comments )
Reply Link Flag
If a flaw is never exploited...
...does it make a sound?

On Cnet it does!
Posted by M C (598 comments )
Reply Link Flag
Pee Off
So vulnerabilities shouldn't be reported unless they're exploited? I'm fed up of people like you, always putting CNET down with your "this isn't news" etc. Hello? It's a [b]tech news[/b] site!

If you don't like reading CNET then go away!
Posted by SmokieUK (39 comments )
Link Flag
Which is better?
Firefox, not quite 1 year old, 3 out of 22 Secunia advisories is marked as "Unpatched" in the Secunia database.
or

IE, not updated in years, 19 out of 85 Secunia advisories is marked as "Unpatched" in the Secunia database.

I've yet to switch anyone to Firefox and later find they've reverted back to IE, or that spyware, adware, and other annoyances have returned.

No matter how many times I clean up a PC, if the users insists on using IE, the problems return.

(BTW, Opera is 0 for 7 unpatched)
Posted by zizzybaloobah (218 comments )
Reply Link Flag
Just as important to note...
I.E. 6.x criticality (based on 69 advisories and not the full 85 current advisories)
Extremely 14%
Highly 29%
Moderately 20%
Less 14%
Not 22%

Taken from <a class="jive-link-external" href="http://secunia.com/product/11/" target="_newWindow">http://secunia.com/product/11/</a>

Firefox 1.x criticality (based on 22 current advisories)
Extremely 0%
Highly 23%
Moderately 36%
Less 32%
Not 9%

Taken from <a class="jive-link-external" href="http://secunia.com/product/4227/" target="_newWindow">http://secunia.com/product/4227/</a>
Posted by Nathan Lunn (113 comments )
Link Flag
*Another* security flaw?
I think firefox is starting to find out that it's not so easy to keep its browser secure once it starts getting actual market share and adding more advanced features.

I tried firefox, but eh - while its functional and I still use it on occassion, I still prefer IE under XP SP2.
Posted by (402 comments )
Reply Link Flag
Reply
I don't know that rate at which flaws are found have increased but when they are, they get more publicity.

This isn't the first time IDN has caused problems, it's been a problem in just about every major browser at some point (at least the one that support it). Fortunitly Firefox is extremely configurable and customizable so that problem features like IDN can be turned off or modified until a full blown patch can be created. If this was a flaw in IE you'd have to wait for patch tuesday.

Microsoft's development of IE is allowed to stagnate until someone starts taking market share then they play catch up.
Posted by unknown unknown (1951 comments )
Link Flag
Expect it
Firefox's greatest strength over Internet Explorer and Opera is that its Open Source. It is far more likely to find security vulnerabilities since the source is freely available. This is may seem like Firefox isn't secure, but every new flaw found and fixed pushes the next version of Firefox to a newer high in security.
Posted by hion2000 (115 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.