Mozilla Under Fire

As allegations of malicious code and heightened insecurity swirl around,
Mozilla has updated its Firefox Web browser in what is being
termed, “a security and stability release.”

Mozilla today released version 1.07 of Firefox, which includes numerous
security fixes. Security firm Secunia has rated at least one as “extremely critical.”

CAN-2005-2968 titled “Firefox Command Line URL Shell Command Injection”
is also known as Mozilla Bugzilla Bug 307185 “URLs passed on the command
line are parsed by the shell (bash).”

According to the Bugzilla record,
Mozilla has been aware of the flaw since at least Sept. 6 when the entry
was created.

The vulnerability could have potentially been used by a hacker to
compromise a users system due an issue with a shell script used by Firefox.
The issue only affects Linux/Unix users of Firefox.

According to Mozilla, the 1.07 release also provides a fix for a
“potential buffer overflow vulnerability when loading a hostname with all
soft-hyphens.” As of press time, Mozilla had not yet updated its list of
vulnerabilities that are repaired in
1.07, so it is currently unclear as to the total number of fixes it
includes. The previous release included no fewer than 12 fixes.

The newest Mozilla Firefox update comes as Symantec’s latest Internet
Security Threat Report, reports that Mozilla browsers have had more
vulnerabilities in the first six months of 2005 than any other browser,
including Microsoft’s Internet Explorer (IE).

Symantec’s report noted that between January and June of 2005 there were
25 vendor confirmed vulnerabilities in Mozilla browsers, 18 of which were
deemed to be “high severity.” In stark contrast, IE only had 13 vendor-confirmed vulnerabilities in the same period and only eight were considered to
be high severity.

Beyond Symantec’s assertion of Mozilla’s industry-leading browser
vulnerability count, there has also been a recent allegation that a Mozilla
site may have unwittingly served as a vehicle for malicious code.

Russian security firm Kaspersky Labs alleges that the Korean Mozilla
Web site contained files infected with Virus.Linux.RST.b malicious code.
Kaspersky reports that “the infected files have now been removed, but it
took some time.”

In June, the Korean Mozilla site was reportedly hacked, though it is unclear
if the malicious code reported by Kaspersky is linked in any way to the
incident.

Mozilla’s popularity apparently may also be under attack. A recent study from Web analytics firm NetApplication shows that Firefox may be losing its grip and for the first time since being launched is actually
losing marginal market share.

News Around the Web