RealTime IT News

Mozilla Under Fire

As allegations of malicious code and heightened insecurity swirl around, Mozilla has updated its Firefox Web browser in what is being termed, "a security and stability release."

Mozilla today released version 1.07 of Firefox, which includes numerous security fixes. Security firm Secunia has rated at least one as "extremely critical."

CAN-2005-2968 titled "Firefox Command Line URL Shell Command Injection" is also known as Mozilla Bugzilla Bug 307185 "URLs passed on the command line are parsed by the shell (bash)."

According to the Bugzilla record, Mozilla has been aware of the flaw since at least Sept. 6 when the entry was created.

The vulnerability could have potentially been used by a hacker to compromise a users system due an issue with a shell script used by Firefox. The issue only affects Linux/Unix users of Firefox.

According to Mozilla, the 1.07 release also provides a fix for a "potential buffer overflow vulnerability when loading a hostname with all soft-hyphens." As of press time, Mozilla had not yet updated its list of vulnerabilities that are repaired in 1.07, so it is currently unclear as to the total number of fixes it includes. The previous release included no fewer than 12 fixes.

The newest Mozilla Firefox update comes as Symantec's latest Internet Security Threat Report, reports that Mozilla browsers have had more vulnerabilities in the first six months of 2005 than any other browser, including Microsoft's Internet Explorer (IE).

Symantec's report noted that between January and June of 2005 there were 25 vendor confirmed vulnerabilities in Mozilla browsers, 18 of which were deemed to be "high severity." In stark contrast, IE only had 13 vendor-confirmed vulnerabilities in the same period and only eight were considered to be high severity.

Beyond Symantec's assertion of Mozilla's industry-leading browser vulnerability count, there has also been a recent allegation that a Mozilla site may have unwittingly served as a vehicle for malicious code.

Russian security firm Kaspersky Labs alleges that the Korean Mozilla Web site contained files infected with Virus.Linux.RST.b malicious code. Kaspersky reports that "the infected files have now been removed, but it took some time."

In June, the Korean Mozilla site was reportedly hacked, though it is unclear if the malicious code reported by Kaspersky is linked in any way to the incident.

Mozilla's popularity apparently may also be under attack. A recent study from Web analytics firm NetApplication shows that Firefox may be losing its grip and for the first time since being launched is actually losing marginal market share.