Article

Mozilla releases Firefox fix

Bill Brenner

Mozilla has released Firefox 2.0.0.3 and 1.5.0.11 to close a security hole attackers could exploit to access sensitive information on a victim's machine, as well as several glitches that were accidentally introduced during the last browser upgrade.

Mozilla noted in an advisory

    Requires Free Membership to View

that the file transfer protocol (FTP) includes a passive command Firefox uses to request an alternate data port. The specification of the FTP protocol allows the server response to include an alternate server address as well, Mozilla said.

"A malicious Web page hosted on a specially-coded FTP server could use this feature to perform a rudimentary port scan of machines inside the firewall of the victim," Mozilla said in its advisory. "By itself this causes no harm, but information about an internal network may be useful to an attacker should there be other vulnerabilities present on the network."

The French Security Incident Response Team (FrSIRT) said in its advisory that an attacker could exploit the flaw to access sensitive information on a victim's machine.

With the latest versions of Firefox, Mozilla said clients will now ignore the alternate server address.

The upgrade also fixes some glitches that were accidentally introduced during the last browser update, Mozilla said.

The last update, Firefox 2.0.0.2 and 1.5.0.10, was released earlier this month to address a regression error that occurred when the browser processed certain IMG tags. Attackers who successfully lured users to a malicious Web page could have exploited the flaw to bypass restrictions and run arbitrary code.

Firefox 2.0 has suffered from a variety of flaws since its release last October.

Mozilla security chief Window Snyder said in a recent interview that Mozilla tries to issue a security upgrade every six weeks or so.

"We're continuously looking for vulnerabilities and continuously fixing them," she said at the time. "Users don't have to wait for the next version of the product to get a lot of the benefits of the security work we're doing. They get it on a regular basis."

She made that comment after being asked if the frequent security updates are an indication that the open source browser isn't as ironclad as supporters boast. Firefox is often touted by fans as a more secure alternative to Microsoft's much-attacked Internet Explorer.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: