The decision for new, so-called point releases was made after the disclosure last week of a problem in the way the browsers handle International Domain Names, or IDNs, Web addresses that use international characters. The vulnerability could let attackers secretly run malicious software on users' PCs. Hackers have been working on exploits for the flaw.
"As soon as we got the report that users might be impacted, we began evaluating our options," said Mike Schroepfer, director of engineering at the Mozilla Foundation. Firefox version 1.0.7 and Mozilla version 1.7.12, which fix the IDN flaw, are now being tested, he said. "We're releasing as soon as we possibly can."
The testing process is to make sure the updates don't introduce any compatibility problems, he said.
In addition to patching the IDN bug, the new releases include one functionality fix and a handful of fixes for yet undisclosed security problems, Schroepfer said.
The Mozilla Foundation, which distributes and coordinates the development of Firefox and Mozilla, responded swiftly to the IDN bug disclosure last week and within 24 hours provided a temporary fix. Though the fix disables support for IDNs, the new updates that are now being tested will actually fix the vulnerability and re-enable IDNs, Schroepfer said.
IDNs have caused trouble for Mozilla in the past. A Firefox security update in February fixed a flaw that would allow domain spoofing using the special domain names.
As the Mozilla Foundation and the open-source community were working on fixing the IDN flaw, the discoverer of that bug reported yet another issue with Firefox. Security researcher Tom Ferris on Wednesday said that Firefox1.5 beta 1 is vulnerable to a problem similar to the IDN bug he disclosed last week.
Another Firefox flaw?
Even with the fix that disables IDN installed, a buffer overflow vulnerability exists in Firefox 1.5 beta 1, Ferris wrote on his Security Protocols Web site. The problem is a variant of the original IDN bug, he wrote.
Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood over the buffer.
Firefox 1.5 beta 1 was released last week and is a test version of a new Firefox browser due out by year's end.
The Mozilla Foundation is investigating Ferris' latest report, Schroepfer said. "At this time, we're not sure whether it is a vulnerability," he said.
The latest problem occurs only in the beta release, which is meant for testing only and typically has bugs. The beta has been downloaded about 500,000 times, according to Schroepfer.
Firefox has risen in popularity in recent years as a viable alternative to Microsoft's Internet Explorer. Though its market share slipped slightly recently, researchers estimate that between 8 percent and 9 percent of the Internet population uses the open-source browser.
Security has been a main selling point for Firefox over Internet Explorer. However, Firefox has had its own security woes. Numerous serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don't exist.
