Firefox Develops another Security Flaw Page: 1
Firefox Develops another Security Flaw
 
Firefox and its developer Mozilla seem to be having a tough time off-late. A major security vulnerability was discovered in the browser last week, and even as Mozilla has worked to patch it, yet another major flaw has cropped up.
 
The vulnerability last week was related to the JavaScript engine of Firefox 3.5 and left user systems exposed to remote code execution and thereby hacking. Mozilla worked quickly to patch this flaw and 22 other bugs and released Firefox version 3.5.1 on last Friday.
 
Even as users across the world have started upgrading to the new version, SecurityFocus has reported the discovery of another vulnerability that afflicts both version 3.5 and 3.5.1. This time around, it is flaw that leads to a stack buffer overflow, and opens up the browser to a remote attacker.
 
Stemming from its Unicode text handling system, the flaw allows easy execution of arbitrary code just by visiting a website into which it has been embedded. Once the code is executed, it causes the browser to crash and leads to a denial of service. In certain situations, Windows itself will execute the code.
 
This flaw would make it really simple for remote attackers to gain access to a user’s system and have their way with it. While the first vulnerability has been patched, this latest one is still unresolved and so far, there does not seem to be any easy way out of it either.
 
As the remote code would rely on JavaScript for its execution, the only option open to users at the moment is something like the NoScript plugin that would stop all script executions. While this might be an option, two security flaws cropping up within a week have raised serious doubts about the open-source browser and the testing conducted by the Mozilla Foundation before rushing ahead with the release.
 
Do you feel Mozilla released Firefox 3.5 much too quickly without sufficiently testing it? Talk about it in our Forums