Network News

X My Profile
View More Activity

Firefox, Netscape Flaws Discovered

A security researcher has uncovered serious security holes in the latest versions of the Firefox, Mozilla Suite and Netscape Web browsers, flaws that could allow attackers to break into computers if users visit a specially crafted Web site or click on a malformed link in an e-mail, for example.

Bad guys are almost certain to take advantage of this flaw, if for no other reason than it is extremely easy to exploit. All three browsers can be forced to execute a command or computer program of the attacker's choice just by directing them to a URL that is little more than "http://" and a string of dashes.

Tom Ferris, the guy who discovered the flaws, says he's reported them to both Mozilla -- which also developed Firefox -- and Netscape. Still, there are no patches to fix the problem in any of the browsers yet, so be extra careful about clicking on links you receive in instant message or in e-mail, or consider using another Internet browser. Earlier this month, I blogged about a serious flaw Ferris found in the Microsoft's Internet Explorer Web browser that also remains unpatched.

Mozilla and Firefox have grown in their popularity in recent months, touted as more secure alternatives to IE. But as this and other research shows, Firefox has its share of security holes as well: Mozilla has released patches to fix at least 23 flaws since I began this column at the end of March. And as the open-source browser continues to increase its market share, you can bet attackers are going to start looking harder for flaws and exploiting them.

By the way, even though there is no patch available yet for the Firefox flaw, some readers in a discussion over at Slashdot.org today were saying that the many friends and family members they have converted from IE to Firefox haven't been applying their Firefox patches.

If you are using Firefox and you see a little red arrow in the upper right corner of your screen, it means security patches are waiting to be applied. Click on the arrow to start that process. If that fails, try using Firefox's updater tool by clicking on "Tools" in the menu at the top of the browser window, then "options" then the "Advanced" tab. Scroll down to the section that says "software update" (and make sure there's a check mark next to both "Extensions" and "Firefox"). Then hit the button that says "check now" and it should find any available updates.

By Brian Krebs  |  September 9, 2005; 11:45 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Black Tuesday? Not So Much This Month
Next: Microsoft Nixes Patch for Black Tuesday

Comments

So far, no-one's exploited any of the Firefox holes. I think most hackers won't. Why?

Firefox is "ours". We can examine it, we can fix it. Even though I didn't personally offer any improvements, I can and chances are they'll be used. We're all the authors, and no-one paints graffiti on his own sculture.

IE is "theirs". The big evil corporation owns it and profits from it. Hacking IE is like freedom-fighting, liberating software so it once again belongs to the people.

I think even if Firefox and IE reach parity, people will still exploit IE.

Until there's enough money in it. Then all bets are off.

Posted by: Filf | September 9, 2005 1:40 PM | Report abuse

"If you are using Firefox and you see a little red arrow in the upper right corner of your screen, it means security patches are waiting to be applied. Click on the arrow to start that process."

I think, more accurately, this would be the upper right corner of the browser.

-jsc

Posted by: James Cameron | September 9, 2005 4:52 PM | Report abuse

How about Safari? Does this mean that Safari is the safest bet for Mac users?

Posted by: Caesar | September 9, 2005 5:09 PM | Report abuse

I hope that's not naive.

Posted by: Hal Straus | September 9, 2005 5:17 PM | Report abuse

It's not that Firefox doesn't have security holes. As many, including Brian Livingston (http://brianlivingston.com/) in his Windows' Secrets newsletter, have pointed out, Firefox comes out with patches for known issues a lot faster than Microsoft does for IE. Sometimes Microsoft leaves IE wide open for months after holes are made public. If you update your software regularly, you're considerably safer with Firefox.

Posted by: Pat Gomes | September 9, 2005 8:10 PM | Report abuse


A patch has been released to immunize Firefox (as of 3:30pm Pacific time):

http://www.mozilla.org/security/idn.html

Hope this helps everyone. Keep up the good work!

Posted by: Steve Harris | September 9, 2005 8:11 PM | Report abuse

would like to have contact with gomes

Posted by: mondella | September 18, 2005 2:54 PM | Report abuse

Firefox is "ours". We can examine it, we can fix it. Even though I didn't personally offer any improvements, I can and chances are they'll be used. We're all the authors, and no-one paints graffiti on his own sculture.

Posted by: Stan | January 14, 2006 4:24 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company