Mozilla warns of security holes, patches Firefox

Several security vulnerabilities in Firefox and the Mozilla Suite put users of the open source products at risk of attacks.

Several security vulnerabilities in Firefox and the Mozilla Suite of Internet software put users of the open-source products at risk of hacker attacks, the Mozilla Foundation warned Thursday.

The organization released Firefox 1.0.1, which fixes 17 security flaws in the popular Web browser. The most serious flaws could allow an attacker to gain full control over a victim's PC, the Mozilla Foundation said in a statement. Firefox 1.0 was released in November and has since been downloaded more than 27 million times.

Firefox 1.0.1 also includes several fixes to guard against spoofing of Web addresses and the security indicator on Web sites. These vulnerabilities could be exploited for phishing scams, which typically use spam e-mail messages to drive people towards fraudulent Web pages that look like legitimate e-commerce sites.

One of the changes made in Firefox 1.0.1 is in the way the browser handles international domain names (IDNs). These names are now displayed differently to make it easier to spot spoofed Web sites. Because of the way Firefox displayed IDNs, it was possible to register domain names with international characters that resembled other common characters, thus tricking users into believing they were on a trusted Web site.

For protection against possible exploitation of the security flaws, users should download and install the latest version of Firefox, the Mozilla Foundation said. The organization does not offer patches to fix the problems without having to install a new browser.

Most of these flaws also affect the Mozilla Suite, which includes a Web browser, an e-mail client, Internet Relay Chat client and Web page editor. However users of the suite are left vulnerable because no fixes are yet available. Mozilla 1.7.6, the update that fixes the issues, is due out in "a couple of weeks," according to a Mozilla Foundation spokesman.

The public warning of the security vulnerabilities is evidence that the Mozilla Foundation's products give a false sense of security, said Thor Larholm, a senior security researcher with PivX Solutions.

"The only reason Mozilla and Firefox have a good track record in security with a low number of security vulnerabilities is simply because they don't tell anyone about them," Larholm said via e-mail.

"The Mozilla Foundation has fixed hundreds if not thousands of security vulnerabilities over the last few years without notifying the world and without providing security patches, instead they have simply just told their users to upgrade," he said. "We have to remember that all software has security vulnerabilities, the only difference is in how we anticipate them and inform the world about their existence."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?