RSSThe reason for the last Firefox 2 release: multiple security fixes
by Scott M. Fulton, III
If the manufacturer of a product acknowledges a series of potentially hazardous defects before anyone else can be hurt by them, and the solution is already available, perhaps the word "responsibility" applies in a good way.
With two solutions to these problems already in wide deployment -- the second being Firefox 3 -- and with a dozen or more private engineering teams dedicated to finding vulnerabilities before someone else does, the possible pervasiveness of any "zero-day" exploits inspired by the vulnerabilities' disclosure, as reported by Secunia yesterday, is clearly reduced.
It's also clear that the balance of innovation is shifting to the good guys. One of the twelve exploits, for instance, concerns how Firefox was implementing a protective wrapper that kept scripts from being capable of running arbitrary code. An engineer with the handle moz_bug_r_a4 discovered that this protective wrapper was only being applied to Firefox's own scripts, and not to scripts that are either employed by third-party add-ons or to dynamically generated scripts, pieced together in memory by means of other scripts.
"Firefox itself does not use this feature in a vulnerable way and users who have not installed any Add-ons are not at risk," the organization acknowledged on Tuesday. "We have, however, identified popular Add-ons using this feature whose users are at risk and there are no doubt others."
In another addressed vulnerability, also rated "Critical," a team of five researchers apparently went to work exploring all the classic cases of memory corruption that occur when Firefox 2 crashed -- and it did that quite often. (Seems so long ago already.) Could security holes on account of memory corruption be exploited, maybe if the user restarts Firefox 2 without rebooting the computer first?
Though that question wasn't completely answered, the evidence was apparently pointing in a bad direction. "We presume that with enough effort at least some of these could be exploited to run arbitrary code," the organization said.
14 Comments
Don't mock but reports of IE8 beta 2 due out in August boast of some pretty impressive new security. So before you give it a "one" download and try it for a while. Write a well thought out comprehensive review for the viewers. Mull it over in your mind, weigh up the pros and cons against Foxy and only then give it a "one".
Score: 0
I don't play with Microsoft Alphas. They want to pay me: fine, but otherwise, why bother supporting a for-profit company without getting something in return?
Score: 0
And the other suppliers of Web browsers are what? Charities?
Score: 0
Mozilla is a non-profit company that allows its code to be used elsewhere. So you are actually supporting more than that singular company when you "invest" in that browser. We now have iceweasel, etc as a result. :)
Score: 0
If I believe Wikipedia, the Mozilla Foundation is non-profit but in 2005 the Mozilla Corporation was created to "handle the revenue-related operations of the Mozilla Foundation".
It seems that the majority of the revenues of the foundation comes from a deal with Google.
Don't make me wrong, I don't think it's a bad thing. I believe that the programmers should be paid for their work. I just don't think that Firefox would be where it is today if it had been financed by donations only.
Personally I think Microsoft has IE and Google has Firefox. And Google is a for profit organization.
Score: 0
2.0.0.16 is coming too.
Score: 0
You all thought you were safe, and now it appears you were wrong. Trouble is we're running out of browsers , anyone using an obscure one the bad guys ain't heard of yet, please !?! Not Opera, it's obscure enough but of late not up to much.
Score: 0
Lynx, or the old Amiga browser.
Nothing's secure.
Score: 0
How about avoiding those porn and warez sites for starters. Skipping the myspace domain would be another good idea.
;)
No software protects against stupid. Browser, OS, or otherwise.
Score: 0
Hey, hey, slow down on the porn-trashing. It's my lifeline in hard economic times.
Score: 0
Recent reports show the porn sites are the safest out there. Reason, they make money by charging you good folk for your daily fix and the last thing they want is to upset you.
Score: 0
This should in theory be true.
Score: 0
It's my lifeline in hard economic times.
...so it's been your lifeline for pretty much your entire life, then? ;)
Score: 0
Great comment. You nailed the problem.
Score: 0