Mozilla vulnerabilities identified

Users of the Mozilla and Firefox browsers and the Thunderbird e-mail client may be vulnerable to flaws that could allow an attacker to spy on or take over a system, according to security researchers.

The most serious bug affects all versions of Mozilla earlier than 1.7.5, and could result in a system crash or the execution of malicious code, the Mozilla Project said. A boundary error in the way Mozilla handles "news://" addresses can be used to cause a heap-based buffer overflow, which crashes the application and may allow for code execution, according to an advisory from Maurycy Prodeus of iSEC Security Research, who discovered the flaw.

An attacker could exploit the bug by creating an overly-long "news://" link, distributed in an e-mail or on a Web page, and enticing a user to click on it. Such methods have been successfully used to spread worms. Mozilla version 1.7.5 fixes the problem. Independent security research firm Secunia gave the bug a "highly critical" rating.

To exploit the flaw, the attacker must point to a real news server that is accessible. Prodeus created a proof-of-concept file that demonstrates the bug.

Firefox and Thunderbird are affected by less serious problems. The first is a vulnerability in the way they store temporary files -- the files are sometimes stored with predictable names and in a format that allows anyone to read them. This means a local attacker could easily read the contents of another user's attachments or downloads, according to researchers.

Finally, a Secunia researcher discovered a way of spoofing the names of file downloads in Firefox. A malicious site could use the bug to disguise the true nature of files the user is downloading, or to get information on the presence of specific files on the local system.

These bugs are all fixed in Firefox 1.0 and newer, and Thunderbird 0.9 and newer.

In recent months many users have begun switching to browsers such as Firefox and Mozilla because of increasingly serious security risks affecting Microsoft's dominant Internet Explorer. However, the newfound popularity of the Mozilla-based browsers has been accompanied by greater scrutiny by security researchers, and the regular discovery of new flaws.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?