Unpatched Flaws Hound Firefox
One of the flaws could allow attackers to steal financial and personal information from Firefox users. The other deals with a problem in a Firefox feature that allows users to install "extensions" -- free add-on programs that make Firefox more interesting, useful and fun.
Mozilla, which developed the free, open-source browser, says it is working on a patch for both problems, and in the meantime it has updated its servers to prevent their use in any attack that tries to leverage this flaw.
Potentially more serious than the discovery of the actual bugs was the posting last week by security researchers at K-OTic Security (a.k.a Fr-SIRT) of two examples of how bad guys could exploit the flaws. Some security experts say releasing exploit information is useful for people who need to defend against such attacks, and that full, immediate disclosure prods software developers to work faster to fix security holes than they would otherwise.
That kind of logic never sat well with me, and it's comforting that -- despite the actions by a few groups determined to make a name for themselves -- an increasing number of security researchers are practicing responsible disclosure these days by giving the vendor time to develop and release a patch first before going public with their exploit. This seems to me especially critical given how quickly today's online criminals target security holes in popular software products.
The comments to this entry are closed.