CYBERSPACE – On the eve of the beta release of FireFox 1.5, a security researcher announced that he has located a new security flaw affecting all versions of the browser, putting a bit of a damper on the Mozilla Foundation’s much-anticipated 1.5 beta release Thursday.In the overview of the security advisory posted to his Security-Protocols.com website, researcher Tom Ferris states, “A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host.”
In an interview with CNET News, Ferris said that the problem is a result of the way FireFox handles Web links that are extremely long and contain dashes. According to CNET, Ferris first reported the bug to Mozilla on Sunday, but apparently went public with his findings after “having a run-in” with the Mozilla staff.
The French Security Incident Response Team (FrSIRT) has issued two advisories related to the vulnerability, which they rate as “Critical,” and provide a solution to the vulnerability, which involves disabling IDN support. Disabling IDN support is done as follows:
Disable IDN support by entering “about:config” in the location bar, and then setting “network.enableIDN” to “false”.
For the full text of FrSIRT’s advisory, go to: http://www.frsirt.com/english/advisories/2005/1690
FrSIRT has published a related advisory stating that Netscape 8.0 is similarly affected – for more information on the Netscape flaw, go to: http://www.frsirt.com/english/advisories/2005/1691
Security has been a big selling point for Firefox over Internet Explorer, but the browser has seen its share of security problems, including cross-site scripting and remote system access flaws that were discovered in version 1.0.3. A number of other serious holes have been plugged since FireFox’s official release last year, which tends to support the notion put forth by many security experts that a truly secure browser simply does not exist at this point in time.
The beta version of FireFox 1.5 is available for download at http://www.mozilla.org/.
At the time of this article’s writing, the Mozilla Foundation had not publicly commented on the new vulnerability, and no patch has been officially supplied to address the issue.
