New Firefox Vulnerability Pushes Latest Update

If you’re a Mozilla Firefox user, there’s another reason for you to update to the latest version of the upstart browser released last week.

Buried in the list of Firefox security updates is a critical heap overflow issue that hit the public disclosure lists officially just today.

Security firm iDefense issued a public advisory today
titled, “Mozilla Firefox and Mozilla Browser Out Of Memory
Heap Corruption Design Error.” The vulnerability could allow an
attacker to execute arbitrary code and/or crash the
browser.

According to iDefense’s security disclosure
timeline, the vulnerability was reported to the Mozilla
Foundation on Feb. 9, and Mozilla responded that day. “Coordinated”
public disclosure was supposed to occur today.

The vulnerability involves the remote
exploitation of a “design error” that could potentially
allow a malicious remote miscreant to trigger a heap
corruption.

According to the iDefense advisory, the vulnerability specifically exists in string-handling functions. The flaw involves the way those functions handle memory, which could potentially allow memory to be overwritten in a fixed location if, during string growth, memory reallocation fails.

According to Mozilla’s advisory, creating the exact conditions for
Exploitation — including running out of memory at just the
right moment — is unlikely.”

That said, iDefense’s advisory notes that the two items
required to execute the exploit — knowing the browser
version and being able to cause memory exhaustion — are
entirely plausible. The security firm wrote in its
advisory that the memory exhaustion could be triggered by
a JavaScript (“to allocate enough memory to trigger this
vulnerability”) or even compressed data.

According to iDefense, even a failed exploitation
attempt could result in the browser crashing. A successful
exploitation attempt would allow for arbitrary code
execution with the same privileges of the logged-in user.
Mozilla’s update last week supposedly fixes the issue.

Firefox’s security concerns come amid new reports of
the open source browser’s growing market share. According
to Web analytics firm OneStat.com, Mozilla browsers, including
Firefox, now command an 8.45 percent market share. This is up
from November when its share was only 7.53
percent. Microsoft’s Internet Explorer still dominates at
87.28 percent.


“It seems that global usage share of Mozilla’s Firefox is
still increasing, and the total global usage share of
Microsoft’s Internet Explorer is still decreasing,” said Niels Brinkman, co-founder of OneStat.com, in a statement. “It looks like that browser users of Internet Explorer 5 are switching to Mozilla Firefox instead of upgrading to
Internet Explorer 6.0.”

News Around the Web