The Mozilla Foundation has released the latest version of its popular
Firefox browser, along with a series of patches intended to prevent spoofing
and phishing attacks that have caused the browser to crash.
Firefox 1.0.1, addresses numerous security vulnerabilities
and approximately 40 other browser fixes, according to the not-for-profit
software foundation.
The primary glitch, which the updated browser fixed, was a vulnerability
found in the Internalized Domain Names (IDN) protocol, which allows the use
of certain international characters that look like other commonly used
characters.
The IDN vulnerability allows hackers to spoof Web sites through phishing
attacks.
The update fixes vulnerabilities that range from “moderately critical” to “not critical”; none are listed as “highly critical,” according to the Mozilla Foundation, said in a statement.
“Regular security updates are essential for maintaining a safe browsing
experience for our users,” he said.
There are no known exploits for any of the vulnerabilities.
The security update can be
downloaded at the Mozilla Web site and will be available within a few days through Firefox’s automatic
update feature.
“I’d encourage users to get this release, especially if they’ve been
prone to phishing attacks or spoofing,” Hofmann said in a statement. “A lot
of work in this release focuses on those areas.”
The Shmoo Group discovered the IDN bug and said it appeared in all browsers, with the
exception of Internet Explorer.
The Firefox browser has been downloaded 27 million times since it was
released on Dec. 7, according to the foundation.
Opera Software also addressed the IDN flaw this week, as well as several
others, with the second beta version of its browser.
The company said the beta includes an answer to the recent security
difficulties with Web site spoofing.
The latest browser displays security information inside the address bar,
located next to a padlock icon that indicates the level of security present
on a site, according to the company. These anti-spoof measures help users
make better decisions about the validity and security of visited Web sites.
“One of the most important measures to counter phishing attacks is the
use of security certificates,” Christen Krogh, Opera’s vice president of
engineering, said in a statement. “The challenge for browser vendors is to
better explain the verification of certificates and to make the user more
aware of this additional verification before entering into secure
transactions.”
The company also addressed the IDN flaw by displaying only domain names
from certain top level names. This ensures that users who depend on IDN will
avoid spoofed sites, the company said.