New Firefox Fixes Holes

UPDATED: Officials at the open source Mozilla Foundation released an update for the Firefox browser Tuesday.

Firefox 1.0.5 is the first update to the popular alternative browser since May 11, when the organization fixed three critical bugs to the Mozilla Update Web service. Firefox 1.0.4 was rushed out the door days after two of the flaws were published by an outfit called the Greyhats Security Group.

The update addresses 12 security issues discovered in the Firefox code, as well as stability fixes to the browser. Chris Hofmann, Mozilla director of engineering, said all the security vulnerabilities, which range from low to two that are critical, have no known exploits.

In addition to Firefox, officials plan to release updates to the Thunderbird e-mail application and Mozilla suite to correct the vulnerabilities addressed in the browser. Hofmann expects Thunderbird and Mozilla updates to be released Wednesday.

As officials pointed out, all three applications use a similar code base, so what affects one may very well affect the others.

Details of the two critical bugs are being withheld until July 20, but both deal with vulnerabilities that could lead to some big headaches for Firefox users.

The first critical bug fixed is described as a “code execution through shared function objects” flaw that would let a Web script get to a privileged object, letting it execute code with enhanced privileges like modifying or deleting files.

The other is a critical vulnerability that allows standalone applications like media players to run arbitrary code through the browser. By default, Firefox takes the content from a currently open browser window and puts it into an external window opened by the application.

If the external window is a “javascript: url,” it will run as if it came from the the site that served the previous content.

For example, if a Firefox user is at their online bank and runs an application that opens a new Firefox window, that application could now contain the user’s sensitive information.

Mozilla officials have changed the code so that new windows run with a blank context and external applications will no longer be able to load privileged “chrome: urls” in a browser window.

Information on the other Firefox vulnerabilities can be found on the organization’s security advisory page.

Hofmann said most of the fixes in this latest version of Firefox came from the Mozilla community, helped by the organization’s bug bounty program. The foundation rewards people who report a valid critical security bug $500 and a Mozilla t-shirt.

The Mozilla chief engineer also noted the advantages of having an application in an open source environment over a proprietary product.

“We’ve got this open source community, where people can bring a number of different perspectives, where a commercial company really can’t replicate that,” Hofmann said. “They’re paying all the people they have in the engineering staff and over time the way in which they look at the code has the potential to get stale.”

News Around the Web