On CBSSports.com: John Madden curses 2 NFL players
BNET Business Network:
BNET
TechRepublic
ZDNet
137 TalkBacks

By Robert Lemos
Posted on ZDNet News: Mar 23, 2005 8:42:00 PM

The Mozilla Foundation issued a patch for a major security flaw in its Firefox browser on Wednesday and advised people to update their software.

The problem is caused by a buffer overflow in legacy Netscape code still included in the browser for animating GIF images, Chris Hofmann, director of engineering for Mozilla, said. Similar memory problems have affected Mozilla's browsers and Microsoft's Internet Explorer in the past. A malicious attacker could exploit them by creating carefully crafted image files that, when viewed by a victim in a browser, execute a program and compromise the system.

The flaw was discovered by Internet Security Systems, a network protection company, and patched before the public learned of the issue, Hofmann said.

"We are staying ahead and being proactive in fixing the code," he said. "The deciding factor, in this case, was the potential for this: It's a little easier for hackers to turn it into an exploit that could be dangerous."

The Mozilla Foundation released version 1.02 of Firefox on Wednesday to fix the problem and asked that all users to download and apply the patch.

Recently published data has prompted questions about the security of Firefox. Security technology provider Symantec said in this week's Internet Threat Report that during the second half of last year, 21 vulnerabilities affected Mozilla browsers and 13 flaws affected Internet Explorer.

However, only seven of the flaws in Firefox were considered "highly severe," compared with nine in Internet Explorer.

Mozilla's Hofmann pointed to the data as a positive indication that the developers were doing a good job of securing the Firefox code.

"As the data shows, the flaws are of lesser severity," he said. "The kinds of things the Microsoft's browser is vulnerable to is much more worrisome."

On Tuesday, Mozilla president Mitchell Baker predicted that Firefox won't suffer nearly as many security flaws as Internet Explorer and that the increasing popularity of the open-source browser won't change that.

"Microsoft has a proven track record with Internet Explorer," Microsoft said in statement. "We continue to make significant investments in Internet Explorer, including Windows XP Service Pack 2, which features a much stronger security infrastructure to help thwart malware attacks, block suspicious content and eliminate many common spoofing attempts. In addition, Internet Explorer 7 will be a major upgrade that will focus on security."

Mozilla is currently reviewing the roughly 2 million lines of code that makes up the Firefox browser to find similar vulnerabilities to those patched Wednesday. Last August, the organization offered a bounty to anyone who finds significant flaws in the software. The developers are looking with particular intensity at the legacy code that remains in the browser.

"Most of the things that we are looking at and fixing are potential exploits that no one has figured out how to exploit yet," Hofmann said.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 137 Talkback(s)
Firefox
I had IE for the past 5 yrs and am here to confirm Firefox to be far above more secure,faster and reliable than IE has ever been. Way to go Mozilla!... (Read the rest)
Posted by: jroy Posted on: 04/02/05 You are currently: a Guest | | Terms of Use
IE SUCKS, FIREFOX RULES!  Jeff Spicoli | 03/23/05
correcto  mjbad2 | 03/23/05
The hits just keep on coming!  ShadeTree | 03/23/05
It's all cyclical  Squawkbox | 03/23/05
And of course MS now gets 3 good weeks a month  Michael Kelly | 03/23/05
You must of missed the ...  ShadeTree | 03/23/05
You're right, I did miss that.  Michael Kelly | 03/23/05
BAAAAH!!!  Jeff Spicoli | 03/24/05
Also, if you don't...  ReFoRMaT | 03/25/05
Keep on coming?  Martin Marvinski | 03/23/05
If your claim is that there are ...  ShadeTree | 03/23/05
thats not true  doh123 | 03/23/05
B.S.  ShadeTree | 03/23/05
This isn't a court of law  Michael Kelly | 03/23/05
As I stated ...  ShadeTree | 03/23/05
Sure it works  Michael Kelly | 03/23/05
If that were HALF ture...  thetargos | 03/23/05
If that were HALF true...  thetargos | 03/23/05
It doesn't work if you look at ...  ShadeTree | 03/23/05
Hey half true!  ShadeTree | 03/23/05
Head in the sand?  Michael Kelly | 03/23/05
Actually it said IE had more serious flaws -nt-  emcee_z | 03/23/05
Your zealotry is showing  bystander_z | 03/23/05
i read the entire thing, not just articles about it  doh123 | 03/24/05
INCORRECT.  whogoesthere | 03/24/05
Actually it has support and merit  IT Scion | 03/24/05
Oh Shadey!  Jeff Spicoli | 03/23/05
You are such a hypochrit  ShadeTree | 03/23/05
yup  Jeff Spicoli | 03/24/05
Firefox Users  harryomary1@... | 03/24/05
Thanks for clearing that all up for us Smokey!  Jeff Spicoli | 03/24/05
Oh, what, you mean, compared to...  ReFoRMaT | 03/25/05
LMAO.......  livewire^ | 03/25/05
The Great and Mighty  victor@... | 03/25/05
Wonderful  Qbt | 03/23/05
Compare it to the IE swiss-cheese nightmare, then get back to me.  BitTwiddler | 03/23/05
He won't be getting back to you  Jeff Spicoli | 03/23/05
Uhm...  Qbt | 03/23/05
It's called critical stupidity...  msdead | 03/24/05
Well..  Jeff Spicoli | 03/23/05
How long has ANY flaw been there?  Michael Kelly | 03/23/05
give me a break  doh123 | 03/23/05
give me a break (2)!  whogoesthere | 03/24/05
With all due respect...check your sources  sgk284 | 03/23/05
Awesome Post!  whogoesthere | 03/24/05
If ignorance is bliss you must be in heaven.  bystander_z | 03/23/05
LOL! NETCRAFT???  golowenow | 03/24/05
One word -- Akamai  bobjones68@... | 03/24/05
typical  victor@... | 03/25/05
where can I download IE7  wexwimpy@... | 03/24/05
What?  Qbt | 03/24/05
Coming this summer  golowenow | 03/24/05
Nope, just legacy code can be a pain  FilledOut | 03/23/05
Well... it's a LITTLE better  Michael Kelly | 03/23/05
They HAVE to fix that  Jeff Spicoli | 03/23/05
Agree with you guys on this one.  htotten | 03/23/05
No need to uninstall anymore...  Black-N-Blanc | 03/24/05
Aw, heck, Jezter~ already posted this info happy (NT)  Black-N-Blanc | 03/24/05
Huh? Just patched mine....  whogoesthere | 03/24/05
I don't think it's that bad  Michael Kelly | 03/23/05
Uninstall FF to update?  jezter~ | 03/24/05
That may be so  Michael Kelly | 03/24/05
Also...  Michael Kelly | 03/23/05
Good Idea.  htotten | 03/23/05
Wow is it really that difficult?  thetargos | 03/23/05
I was talking about Windows  Michael Kelly | 03/24/05
security  tilly4@... | 03/23/05
Let's be mature here...  Mike Cox | 03/23/05
ROTFLMAO Now I know why my exwife loves you Mike  Squawkbox | 03/23/05
9.0  htotten | 03/23/05
Wow... 10.0!!!  Michael Kelly | 03/23/05
9.5  Real World | 03/23/05
Another Fire Fox Bug  Marcwolf1960 | 03/24/05
9.5  CobraA1 | 03/27/05
What I am most pleased to hear..  Jeff Spicoli | 03/23/05
Now now jeff....  htotten | 03/23/05
Jefreeeeeee Bush HAS MADE complete sentences without hesistation  Squawkbox | 03/23/05
What part of the story?  ShadeTree | 03/23/05
Ya got me Shade, touche', Won't let that happen again  Squawkbox | 03/23/05
How Can You Tell A Liberal?  rdgrimes | 03/24/05
Liberals?  thutchins | 03/24/05
By their good looks, brains, and personality...  ralph124c41 | 03/24/05
They also  victor@... | 03/25/05
Mozilla  pesoto74 | 03/23/05
Yes, I can, BUT.....  dinosaur_z | 03/24/05
Good grief man!  Linux User 147560 | 03/24/05
So, you are  victor@... | 03/26/05
since most of you are too lazy to check.....  middle of nowhere | 03/23/05
The car analogy.  seosamh_z | 03/24/05
Another link  jerushy44 | 03/24/05
happy  CobraA1 | 03/27/05
Message has been deleted.  MIS Master | 03/24/05
Well then..  Jeff Spicoli | 03/24/05
Wasted Breath  IT Scion | 03/24/05
AGREED!  golowenow | 03/24/05
ye, right  rrfe@... | 03/24/05
Quel surprise .....  Reged04 | 03/24/05
How do you patch FireFox?  robradina@... | 03/24/05
Should be able to use Windows management tools  escoles@... | 03/24/05
It's  IT Scion | 03/24/05
FF wipes out with bad upgrade processes  nrozanov | 03/24/05
I can always give Ff two points...  msdead | 03/24/05
Why stop at security?  escoles@... | 03/24/05
To be fair...  JEisen | 03/24/05
I'm all for FF but  IT Scion | 03/24/05
It is not worth their time  victor@... | 03/26/05
Just a couple points.  jpfitz@... | 03/24/05
the new brouser of choice  johni123 | 03/24/05
Mozilla  drtlhaupt | 03/24/05
Can't Be True, Despite the Patch's Existence  PMC-CON | 03/24/05
major security flaw? Major?  Jazhawk | 03/24/05
IE has always ruled  golowenow | 03/24/05
you're a bright one, aren't ya  Monkey_MCSE | 03/24/05
er, Proven Track Record?  guitrwiz@... | 03/24/05
Guess you are getting the message.  golowenow | 03/24/05
Yes,But Not these Days  mobileomega | 03/25/05
This is news?  richdave | 03/24/05
No real threat to Mozilla  jackjack5 | 03/24/05
Another Firefox Bug  Marcwolf1960 | 03/24/05
OS?  Rokstar83 | 03/24/05
That explains it...  PA-ITGuy | 03/24/05
Firefox is a Farce!!!!!!!  Jestunes | 03/24/05
After testing  victor@... | 03/25/05
Is it a joke?  funfox | 03/27/05
IE is worse . . .  CobraA1 | 03/27/05
Why on EARTH are you still on ME!!!  tbbrickster_z | 03/28/05
Do you have any practical, real world experance with FF?  xshakes | 03/24/05
Time to face it!  TheMotz | 03/25/05
Time to face the facts!  CobraA1 | 03/27/05
downloads != users  net2dave | 03/29/05
Is firefox really that good  nsx100 | 03/26/05
Food??  funfox | 03/27/05
Doesn't hurt to try, forget what others say, make your own call: try it! nt  CobraA1 | 03/27/05
I Sure Think So  tbbrickster_z | 03/28/05
FUD vs. FUD  RimaDog@... | 03/27/05
Let's see....  jeffdickey | 03/31/05
Firefox  jroy | 04/02/05

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

SmartPlanet

advertisement
Click Here