Mozilla releases Firefox fix

By Bill Brenner, Senior News Writer 22 Mar 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Mozilla has released Firefox 2.0.0.3 and 1.5.0.11 to close a security hole attackers could exploit to access sensitive information on a victim's machine, as well as several glitches that were accidentally introduced during the last browser upgrade.

Mozilla noted in an advisory that the file transfer protocol (FTP) includes a passive command Firefox uses to request an alternate data port. The specification of the FTP protocol allows the server response to include an alternate server address as well, Mozilla said.

"A malicious Web page hosted on a specially-coded FTP server could use this feature to perform a rudimentary port scan of machines inside the firewall of the victim," Mozilla said in its advisory. "By itself this causes no harm, but information about an internal network may be useful to an attacker should there be other vulnerabilities present on the network."

The French Security Incident Response Team (FrSIRT) said in its advisory that an attacker could exploit the flaw to access sensitive information on a victim's machine.

With the latest versions of Firefox, Mozilla said clients will now ignore the alternate server address.

The upgrade also fixes some glitches that were accidentally introduced during the last browser update, Mozilla said.

The last update, Firefox 2.0.0.2 and 1.5.0.10, was released earlier this month to address a regression error that occurred when the browser processed certain IMG tags. Attackers who successfully lured users to a malicious Web page could have exploited the flaw to bypass restrictions and run arbitrary code.

Firefox 2.0 has suffered from a variety of flaws since its release last October.

Mozilla security chief Window Snyder said in a recent interview that Mozilla tries to issue a security upgrade every six weeks or so.

"We're continuously looking for vulnerabilities and continuously fixing them," she said at the time. "Users don't have to wait for the next version of the product to get a lot of the benefits of the security work we're doing. They get it on a regular basis."

She made that comment after being asked if the frequent security updates are an indication that the open source browser isn't as ironclad as supporters boast. Firefox is often touted by fans as a more secure alternative to Microsoft's much-attacked Internet Explorer.

Tags: Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary