Mozilla offers temporary fix for Firefox flaw

Responding to the disclosure of a serious Web browser flaw, the Mozilla Foundation offered on Friday a temporary fix to protect Firefox and Mozilla users.

The downloadable fix protects against attacks that take advantage of a new, unpatched flaw that could let attackers secretly run malicious software on users' PCs. The flaw was disclosed late Thursday by security researcher Tom Ferris, sending Mozilla staff into damage-control mode.

The problem has to do with the way the Firefox and Mozilla browsers handle International Domain Names, or IDNs, said Mike Schroepfer, director of engineering at Mozilla. IDNs are domain names that use local language characters. The fix disables support for such Web addresses, he said.

"This is a temporary work-around just to deal with the immediate issue," Schroepfer said. "We're working on a future release in which we will actually fix the problem and re-enable the IDN feature." Switching off IDN support impacts a subset of Firefox and Mozilla users who actually use such special domain names, he said.

Though there is no known attack that takes advantage of the flaw, Mozilla advises Firefox and Mozilla users to disable IDN. "Luckily we do not have any known use of this exploit, but it is fairly critical if there were to be (an attack), so this is a recommended download," Schroepfer said.

Mozilla expects to fix the vulnerability in beta 2 of Firefox 1.5, the next release of the open-source Web browser. Beta 2 is due Oct. 5 and the final release of 1.5 is expected by year's end, Schroepfer said.

In addition to the downloadable fix, Mozilla on its Web site also offers instructions to manually disable IDN: Type "about:config" in the address bar, hit Enter; type "network.enableIDN" in the filter toolbar, hit Enter; right-click the "network.enableIDN" item and select Toggle to change value to false.

IDNs have caused trouble for Mozilla in the past. A Firefox security update in February fixed a flaw that would allow domain spoofing using the special domain names. A spoofed link would seem to be a legitimate address, but instead of taking the victim to the trusted site, the link would lead to a phony Web site.

Though vulnerabilities in Microsoft's Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws. Security has been a main selling point for Firefox over IE, which has begun to see its market share dip slightly--for the first time in years.

However, Firefox has had its own security woes. Several serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don't exist.

It's easy to fix,...

...if you don't need to use international domain names (i.e. most users that use a language from Western Europe).

From the article "...to manually disable IDN: type 'about:config' in the address bar, hit enter; type 'network.enableIDN' in the filter toolbar, hit enter; right-click the 'network.enableIDN' item and select toggle to change value to false."

[Des Alba]

You can Toggle it...

back and forth whenever you need to. It's advisable to keep the value at False because the challenge will be irresistable to some people to see if they can waltz through your system...

[M C]

If a flaw is never exploited...

...does it make a sound?

On Cnet it does!

[SmokieUK]

Pee Off

So vulnerabilities shouldn't be reported unless they're exploited? I'm fed up of people like you, always putting CNET down with your "this isn't news" etc. Hello? It's a [b]tech news[/b] site!

If you don't like reading CNET then go away!

[zizzybaloobah]

Which is better?

Firefox, not quite 1 year old, 3 out of 22 Secunia advisories is marked as "Unpatched" in the Secunia database.
or

IE, not updated in years, 19 out of 85 Secunia advisories is marked as "Unpatched" in the Secunia database.

I've yet to switch anyone to Firefox and later find they've reverted back to IE, or that spyware, adware, and other annoyances have returned.

No matter how many times I clean up a PC, if the users insists on using IE, the problems return.

(BTW, Opera is 0 for 7 unpatched)

[Nathan Lunn]

Just as important to note...

I.E. 6.x criticality (based on 69 advisories and not the full 85 current advisories)
Extremely 14%
Highly 29%
Moderately 20%
Less 14%
Not 22%

Taken from http://secunia.com/product/11/

Firefox 1.x criticality (based on 22 current advisories)
Extremely 0%
Highly 23%
Moderately 36%
Less 32%
Not 9%

Taken from http://secunia.com/product/4227/

*Another* security flaw?

I think firefox is starting to find out that it's not so easy to keep its browser secure once it starts getting actual market share and adding more advanced features.

I tried firefox, but eh - while its functional and I still use it on occassion, I still prefer IE under XP SP2.

[unknown unknown]

Reply

I don't know that rate at which flaws are found have increased but when they are, they get more publicity.

This isn't the first time IDN has caused problems, it's been a problem in just about every major browser at some point (at least the one that support it). Fortunitly Firefox is extremely configurable and customizable so that problem features like IDN can be turned off or modified until a full blown patch can be created. If this was a flaw in IE you'd have to wait for patch tuesday.

Microsoft's development of IE is allowed to stagnate until someone starts taking market share then they play catch up.

[hion2000]

Expect it

Firefox's greatest strength over Internet Explorer and Opera is that its Open Source. It is far more likely to find security vulnerabilities since the source is freely available. This is may seem like Firefox isn't secure, but every new flaw found and fixed pushes the next version of Firefox to a newer high in security.