Security flaw targets Firefox, Linux users

A serious security flaw surfaced on Tuesday that turns conventional security assumptions on their head -- affecting Firefox and Linux, but leaving Microsoft's Internet Explorer and Windows unscathed.

The bug is in the Linux shell scripts that Firefox and the Mozilla browser suite use to parse Web addresses supplied via the command line or by external programs such as email clients. Researcher Peter Zelezny discovered that commands included in the URL and enclosed in backticks (') were executed by the Linux or Unix shell.

The flaw doesn't require Web interaction to be effective. If a user with affected versions of Firefox or Mozilla set as the default browser clicks on a maliciously crafted URL in an email program, for example, malicious commands would be executed before the browser was launched.

Security advisory aggregators Secunia and FrSIRT both gave the flaw their most severe ratings.

The Mozilla Foundation, which develops Firefox and other Mozilla-based software such as the Thunderbird email client, on Wednesday issued a Firefox update -- version 1.0.7 - fixing the flaw, as well as a week-old security bug in the handling of International Domain Names (IDN). The update can be found on the Firefox Web site.

The flaw arrives amid mounting challenges for Firefox, which has gained a significant user base in the past few months, mostly at the expense of Internet Explorer. A report from Symantec earlier this week revealed that nearly twice as many flaws had been discovered in Firefox as in Explorer over the first six months of this year. A few days earlier, developers were forced to rush out a patch for a critical hole in Firefox involving IDN parsing.

Linux is also generally seen as a lower-risk platform than Windows, partly because it is less widely used on the desktop and therefore isn't targeted as often. The security picture is changing, though, according to the Symantec report, with platforms like Linux and Mac OS X coming under increasing scrutiny by potential attackers.

Tristan Nitot, president of Mozilla Europe, has said Symantec's figures don't tell the whole story. For one thing, Firefox patches arrive faster than those for Explorer, he said, pointing out that Microsoft won't even issue its monthly patch in September. More flaws are being discovered in Firefox in the short term because of its newfound popularity, but overall, Explorer's flaws are more numerous and more severe, according to Nitot.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?