Researcher Flags Firefox Code Execution Flaw

Home

Web Design

Researcher Flags Firefox Code Execution Flaw
By Ryan Naraine
2005-09-09

Article Rating:

/ 0

Rate This Article:

Add This Article To:

Digg this

Del.icio.us

Slashdot

Y! My Web

E-mail

Furl

Google

Simpy

Spurl!

PDF Version

The open-source Mozilla Foundation is scrambling to patch a potentially dangerous code execution hole in fully patched versions of its flagship Firefox Web browser.

Officials at the Mozilla Foundation on Friday acknowledged that a potentially dangerous code execution hole exists in fully patched versions of its flagship Firefox Web browser.

The open-source foundation's confirmation comes on the same day it shipped Firefox 1.5 Beta 1 (code-named Deer Park) and highlights the delicate balancing act faced by Mozilla to market Firefox as a security upgrade over Microsoft's dominant Internet Explorer.

The vulnerability, which was discovered and reported by independent security analyst Tom Ferris, affects all versions of Firefox (Windows and Linux), including the latest beta refresh.

In an advisory posted on Security-Protocols.com, Ferris described the bug as a buffer overflow that opens the door for an attacker to remotely execute arbitrary code on an affected host.

A proof-of-concept demonstration has also been published to show that a specially crafted URL can force Firefox to crash.

In some cases, a malicious hacker can exploit the buffer overflow to launch arbitrary code, either remotely or locally.

According to FrSIRT (French Security Incident Response Team), the flaw also affects the Mozilla suite.

"This flaw is due to a buffer overflow error in the "NormalizeIDN" function when handling specially crafted URLs embedded in 'HREF' tags," FrSIRT said, warning that the vulnerability carries a "critical" rating.

A successful attacker could "take complete control of an affected system via specially crafted Web pages," FrSIRT added.

Security alerts aggregator Secunia Inc. also rated the issue as "highly critical" and recommended that Firefox users avoid browsing untrusted Web sites until a patch is released by Mozilla.

The issue was first reported to Mozilla on Sept. 4, and open-source volunteers have already created fixes for testing. A comprehensive patch will be released once quality assurance tests are complete.

Read the full story on eweek.com: Researcher Flags Firefox Security Flaw

Discuss Researcher Flags Firefox Code Execution Flaw

>>> Be the FIRST to comment on this article!

>>> More Web Design Articles >>> More By Ryan Naraine

Email Article To Friend ♦ Print Version Of Article ♦ PDF Version Of Article

Buyer's Guide

	Explore hundreds of products in our Publish.com Buyer's Guide.

	Web design Content management Graphics Software Streaming Media	Video Digital photography Stock photography Web development

View all >

FREE ZIFF DAVIS ENTERPRISE ESEMINARS AT ESEMINARSLIVE.COM

Dec 10, 4 p.m. ET
Eliminate the Drawbacks of Traditional Backup/Replication for Linux with Michael Krieger. Sponsored by InMage

Dec 11, 1 p.m. ET
Data Modeling and Metadata Management with PowerDesigner with Joel Shore. Sponsored by Sybase

Dec 12, 12 p.m. ET
Closing the IT Business Gap: Monitoring the End-User Experience with Michael Krieger. Sponsored by Compuware

Dec 12, 2 p.m. ET
Enabling IT Consolidation with Michael Krieger. Sponsored by Riverbed & VMWare

Join us on Dec. 19 for Discovering Value in Stored Data & Reducing Business Risk. Join this interactive day-long event to learn how your enterprise can cost-effectively manage stored data while keeping it secure, compliant and accessible. Disorganized storage can prevent your enterprise from extracting the maximum value from information assets. Learn how to organize enterprise data so vital information assets can help your business thrive. Explore policies, strategies and tactics from creation through deletion. Attend live or on-demand with complimentary registration!

Register Today!

FEATURED CONTENT

IT LINK DISCUSSION - MIGRATION
A Windows Vista® migration introduces new and unique challenges to any IT organization. It's important to understand early on whether your systems, hardware, applications and end users are ready for the transition.
Join the discussion today!

.NAME Charging For Whois
Whois has always been a free service, but the .NAME registry is trying to change that.
Read More >>

Sponsored by Ziff Davis Enterprise Group

NEW FROM ZIFF DAVIS ENTERPRISE

Delivering the latest technology news & reviews straight to your handheld device

Now you can get the latest technology news & reviews from the trusted editors of eWEEK.com on your handheld device
mobile.eWEEK.com

RSS 2.0 Feed

Publish.com

Google Watch

Google GPay Patent Whets the Wireless Thirst

Google Drops Curtain on Home Decor Trademark Suit

Google News Goes Straight to the Source

Video Interviews

Designing Apps for Usability
DevSource interviews usability pundit Dr. Jakob Nielsen on everything from the proper attitude for programmers to the importance of prototyping in design to the reasons why PDF, Flash and local search engines can hurt more than they help.

BUYER'S GUIDES

• Content management

• Digital photography

• Graphics Software

• Stock photography

• Streaming Media

• Video

• Web development

• Web design

View all >

	Publish: Contact Us \| Advertise \| Site Map

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| System Builder
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| TechDirect \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep Use of this site is governed by our Terms of Use and Privacy Policy
	Copyright ©1996-2013 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Publish is a trademark of Ziff Davis Enterprise, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.