[AI] Mozilla Rushes Out Another Firefox Patch

Vikas Kapoor dl.vikas at gmail.com
Tue Jul 31 10:18:59 EDT 2007


Mozilla Rushes Out Another Firefox Patch
Mozilla has released Firefox 2.0.0.6, which patches two more security holes.
Robert McMillan, IDG News Service

Tuesday, July 31, 2007 5:00 AM PDT

ser, two weeks after security researchers first started posting code that showed how
the flaws could be exploited in attacks.

The 2.0.0.6 version of Firefox, released Monday, fixes a 
pair
 of related flaws in the URL protocol handler component of Firefox, which is used to launch programs when a user clicks on certain specially crafted Web
links.

Mozilla rates these problems critical, meaning they are a serious security risk. But they have also proven to be an embarrassment for the open-source project.

Earlier in the month security researcher Thor Larholm 
showed
 how to exploit this type of problem in order to make Internet Explorer and Firefox jointly launch software on a user's machine without authorization. To
make the attack work, IE would load malformed data from a Web site, and would then send it to Firefox, which would launch the unauthorized software

Microsoft Corp. and Mozilla disagreed about who was to blame, however, with Mozilla initially saying that the attack wouldn't work on Firefox alone.

But last week, Mozilla's security chief Window Snyder admitted that her team was wrong. "We thought this was just a problem with IE. It turns out, it is
a problem with Firefox as well," she said in a
blog posting
. "We should have caught this scenario."

The URL protocol handler flaw will also be patched in Thunderbird 2.0.0.6, Thunderbird 1.5.0.13 and SeaMonkey 1.1.4, Mozilla said.

The 2.0.0.6 Firefox release also fixes a 
third security flaw
, that Mozilla considers to be less-critical than the URL protocol handler bugs.

http://www.pcworld.com/article/id,135271-pg,1/article.html

Vikas Kapoor,
MSN Id:dl_vikas at hotmail.com, Yahoo+Skype Id: dl_vikas,
Mobile: (+91) 9891098137.


More information about the AccessIndia mailing list