Neil Turner's Blog

Blogging about technology and randomness since 2002

Firefox 1.0.4 on the way

Firefox has its first unpatched “extremely critical” security flaw. It’s actually a combination of two flaws which, when used together, can lead to arbitrary code execution. Right now, the workaround is to either disable JavaScript, or disable software installation (Tools, Options, Web Features) – both should do the trick but the latter is less draconian. Firefox 1.0.4 is on the way to fix the flaw.
The MozillaZine article has more:

Paul and mikx reported the vulnerability to the Mozilla Foundation and bug 292691 was filed on Monday 2nd May. In line with the Mozilla security bugs policy, access to the bug report was restricted to members of the security team. However, somebody else found out and leaked the details of the exploit. […] In a message to the Full Disclosure mailing list, Paul criticised the individual who leaked the details of the Firefox code execution exploit, condemning his or her actions as “inconsiderate” and “irresponsible”.

Indeed. Whoever leaked the details just put several million users at risk unnecessarily. The specifics of the flaw would have been released in a few days anyway once 1.0.4 was released – couldn’t they have waited for the official disclosure?
I could of course rant at all the other security sites with the details of this flaw – Secunia included – but the cat’s out of the bag now. Alex Bishop’s analysis of one security report is interesting reading.
Update: MoFo has published an official advisory on the issue and has stated that it …is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update.

3 Comments

  1. Once a zero-day is released then it’s important that everybody knows about it and so are able to protect themselves and also their users. Granted that exploit should never have been released in the first place, but it was and so we just have to work with it.
    Incidentally, I tried the exploit on my Linux install of Firefox and it failed with javascript errors.

  2. Hmm. Another download and istall of firefox.
    Can’t they just magically get it right the first time? 😉

  3. I tested the exploit on a couple of browsers and none of them seemed to do what they were supposed to do (run a program in a dos box) so I’m not sure if the exploit was broken or whether I was secure. In the meantime, just practise safe browsing.