JavaScript Flaw Hits Mozilla Users

Russian security researcher going by the alias Azafran has discovered a flaw in Mozilla Suite and Firefox Web browsers that could potentially put users at risk from the disclosure of arbitrary heap memory.

The JavaScript Lambda Replace Heap Memory Disclosure Vulnerability exists in how the ‘replace()’ function handles lambda expressions. An attacker could exploit the flaw and read the arbitrary contents of a users heap memory. It could also potentially be used for further attacks against the vulnerable computer.

Security firm Secunia has posted a Arbitrary Memory Exposure Test written using the proof of concept code developed by Azafran. Current versions of Mozilla (1.7.6) and Firefox 1.0.1 and 1.0.2 are presently vulnerable to this exploit.

Mozilla’s bug tracking system, Bugzilla, labels the flaw “critical.” A patch is listed as having been posted on the Bugzilla site late on April 1, though it is unclear whether or not that patch has been “pushed” to end users.

Until such time as the patch is integrated into the Mozilla browsers directly (or via the update mechanism), users are cautioned to disable JavaScript support in order to reduce their risk from this particular threat.

Just last week, the Mozilla foundation announced that is had paid out $6,000 in so called “bug bounties” to developers for finding flaws in Mozilla applications. The aim of the program is to enlist and reward the community for helping Mozilla to secure its applications.

News Around the Web