Firefox fix due next week after attack is published
Online attack code has been released targeting a critical, unpatched flaw in the Firefox browser.
The attack code, written by security researcher Guido Landi was published on several security sites Wednesday, sending Firefox developers scrambling to patch the issue. Until the flaw is patched, this code could be modified by attackers and used to sneak unauthorized software onto a Firefox user's machine.
Mozilla developers have already worked out a fix for the vulnerability. It's slated to ship in the upcoming 3.0.8 release of the browser, which developers are now characterizing as a "high-priority firedrill security update," thanks to the attack code. That update is expected sometime early next week.
"We... consider this a critical issue," said Mozilla Director of Security Engineering Lucas Adamski in an email.
The bug affects Firefox on all operating systems, including Mac OS and Linux, according to Mozilla developer notes on the issue.
By tricking a victim into viewing a maliciously coded XML file, an attacker could use this bug to install unauthorized software on a victim's system. This kind of Web-based malware, called a drive-by download, has become increasingly popular in recent years.
While the public release of browser attack code doesn't happen all that often, security researchers don't seem to have much trouble finding bugs in browser software. Last week, two hackers at the CanSecWest security conference dug up four separate bugs in the Firefox, IE and Safari browsers.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
firefox
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
