RealTime IT News

Mozilla Firefox Still At Risk

Sometimes you get the flaw fixed right the first time and sometimes you don't.

For Mozilla, apparently they have not properly fixed at least two types of flaws which they previously claimed to have fixed.

Last week Mozilla released Firefox 2.0.0.5, which was supposed to have fixed a flaw that Mozilla claimed was caused by Microsoft's Internet Explorer.

The flaw had originally been reported on July 10 and involves the "firefoxurl://" uniform resource identifier (URI) handler, which enables Firefox to call on other Web resources.

As part of the 2.0.0.5 release, Mozilla issued an advisory about the "firefoxurl://", stating: "This fix only prevents Firefox and Thunderbird from accepting bad data. This patch does not fix the vulnerability in Internet Explorer."

It turns out that Internet Explorer isn't the only entry point for bad data into Firefox.

"We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well," Window Snyder, Mozilla's chief security officer, wrote in her blog.

"We should have caught this scenario when we fixed the related problem in 2.0.0.5. We believe that defense in depth is the best way to protect people, so we're investigating it now."

Mozilla may also have another lagging security issue related to its password manager system that stores user passwords.

Security researchers at Heise Security have alleged that the password manager flaw that first appeared November 2006 and was claimed to have been fixed in the Firefox 2.0.0.2 update in February 2007 is still open.

Claims that the password manager was not completely fixed are not a new thing; In March of this year, security researcher Robert Chapin alleged that the users were still at risk from the password manager.

Snyder admitted that there were other bugs with password manager beyond those fixes in 2.0.0.2.

"Password manager is one of the components that is being considered for a rewrite, so a number of issues may be resolved then," Snyder told internetnews.com in March.

As it turns out, Mozilla has already begun rewriting password manager and its first public iteration was included the fifth alpha release of Firefox 3, released in June.