Network News

X My Profile
View More Activity

Unpatched Flaws Hound Firefox

People who browse the Web using the increasingly popular Firefox Internet browser should be aware of two new serious security holes recently discovered in the software.

One of the flaws could allow attackers to steal financial and personal information from Firefox users. The other deals with a problem in a Firefox feature that allows users to install "extensions" -- free add-on programs that make Firefox more interesting, useful and fun.

Mozilla, which developed the free, open-source browser, says it is working on a patch for both problems, and in the meantime it has updated its servers to prevent their use in any attack that tries to leverage this flaw.

Those changes mean anyone who wants to install an extension from the Mozilla site will have to do so manually for the time being. Instructions for doing that are available online here. Mozilla also recommends that Firefox users consider making slight modifications to the browser until a patch is available. Keep in mind that if you disable Javascript, as Mozilla suggests, many Web sites may not load properly. (I'd recommend keeping Javascript on, unless you're in the habit of visiting some of the seamier online neighborhoods.)

Potentially more serious than the discovery of the actual bugs was the posting last week by security researchers at K-OTic Security (a.k.a Fr-SIRT) of two examples of how bad guys could exploit the flaws. Some security experts say releasing exploit information is useful for people who need to defend against such attacks, and that full, immediate disclosure prods software developers to work faster to fix security holes than they would otherwise.

That kind of logic never sat well with me, and it's comforting that -- despite the actions by a few groups determined to make a name for themselves -- an increasing number of security researchers are practicing responsible disclosure these days by giving the vendor time to develop and release a patch first before going public with their exploit. This seems to me especially critical given how quickly today's online criminals target security holes in popular software products.

By Brian Krebs  |  May 10, 2005; 10:15 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: E-Mail Scam Targets White House Workers
Next: Feds Closing in on Super Computer Hacker(s)?

No comments have been posted to this entry.

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company