RealTime IT News

Firefox Update Patches Three in Time

Firefox officials released a security update to its popular Firefox Web browser, version 1.0.2, Wednesday.

The update fixes three known vulnerabilities in the browser, two critical and one low-threat flaw, before they could be exploited by hackers, said Chris Hofmann, the Mozilla Foundation's director of engineering. Developers at the organization spent the past week integrating and testing the patch.

The most critical vulnerability dealt with a GIF heap overflow parsing flaw reported to the Mozilla Foundation a week-and-a-half ago, Hofmann said. The vulnerability, if exploited, would have allowed an attacker to run arbitrary code on the end user's computer.

The second, though less critical, vulnerability patched in this latest version involved a flaw in Firefox's sidebar panel. If a person happened to bookmark a Web page designed to download malware when visited, the flaw allowed that page to execute arbitrary programs by opening a privileged page and placing JavaScript code within.

A low-level threat was also plugged in Firefox 1.0.2, which involved tricking a user to drag-and-drop an element that bypasses the restriction on opening privileged XUL , which are XML tags that describe what user interface the computer is using.

This is the second security update in the past month for Firefox. In late February the Mozilla Foundation released Firefox 1.0.1, which corrected numerous bugs in the code.

Normally, Hofmann said, security updates are handled periodically, but serious vulnerabilities are cause for putting out fixes sooner. Wednesday's security update was prompted by the GIF parsing flaw; the other two happened to be ready when the update was set for release. Hofmann pointed out that the job of turning out a security update is made much faster in the open source community.

"We've always had a pretty active development community that's got a passion for security and privacy," he said. "When any issue is raised, they jump on it pretty quickly."