Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
The Mozilla Foundation has released a Firefox update to patch a spoofing vulnerability and to fix a problem that caused Firefox 1.0 to crash.
Since its November 2004 release, the first full version of Firefox (1.0) has seen more than 25 million downloads in 100 days. But vulnerabilities have also cropped up in those 100 days, the most serious of which didn't affect Internet Explorer. The vulnerabilities include one that can cause the browser to crash and another that allows URL address spoofing and could enable successful phishing attacks.
However, the cumulative threat from all of the vulnerabilities is actually rather weak. So far, I haven't seen any reports of exploits. But the update itself doesn't appear to cause any serious problems either, so most users will probably want to make the upgrade.
The main purpose for the update is to provide additional defense against URL spoofing and phishing attacks. The phishing problem involves the Internationalized Domain Name (IDN) homograph spoofing bug. You can find a detailed explanation of this threat on Shmoo.com.
Firefox users that have switched on the automatic update feature may already have this upgrade. Users who don't take advantage of this feature should know about a few potential problems with this upgrade—particularly since the cumulative threats are rather mild.
To prevent the automatic update until you've evaluated the new release, go to Tools | Options | Advanced Options | Software Update, and deselect the check box if you don't want your version of Firefox updated automatically. While Firefox 1.0's Help reports that this feature is on by default, it wasn't set as the default when I installed 1.0.
In its weekly security bulletin, SANS reported two minor problems with the update, one of which involves the resetting of the home page. The second problem was one I had already experienced with Firefox 1.0, so I'm not positive it's really a new problem. In fact, it isn't really a problem at all; it's just the way the program seems to work and involves how browser windows open from within Microsoft Word.
One major bug with the update process causes Windows and Linux versions to crash when users type in the address bar. This occurs if you copied the new version to the same directory where you installed a previous zipped version . As recommended by Mozilla, you can avoid this bug by changing the directory where you install the new version.
Mozilla includes information on its Web site about fixing the problem after it occurs. It details the fix under the Important Note section near the top of its Release Notes Web page. Basically, you must wipe out the new installation and start over.
According to the Known Vulnerabilities In Mozilla Web page, other security-related vulnerabilities fixed in version 1.0.1 include:
- MFSA 2005-28: Unsafe /tmp/plugtmp directory exploitable to erase user's files
- MFSA 2005-27: Use of plug-ins to load privileged content
- MFSA 2005-25: Image drag-and-drop executable spoofing
- MFSA 2005-24: HTTP auth prompt tab spoofing
- MFSA 2005-23: Download dialog source spoofing
- MFSA 2005-22: Download dialog spoofing using Content-Disposition header
- MFSA 2005-21: Overwrite arbitrary files downloading .lnk twice
- MFSA 2005-20: XSLT can include stylesheets from arbitrary hosts
- MFSA 2005-19: Autocomplete data leak
- MFSA 2005-18: Memory overwrite in string library
- MFSA 2005-17: Install source spoofing with user:pass@host
- MFSA 2005-16: Spoofing download and security dialogs with overlapping windows
- MFSA 2005-15: Heap overflow possible in UTF8-to-Unicode conversion
- MFSA 2005-14: SSL "secure site" indicator spoofing
- MFSA 2005-13: Window Injection Spoofing
The spoofing vulnerability applies to any Firefox version prior to 1.0.1.
Risk level - Moderate
The major threat fixed by this update is an address spoofing problem. The other security threats addressed by this update appear to be very minor.
Your best bet is to apply the update. While workarounds are available, they are too complex to explain here.
I find it quite ironic that the IDN spoofing threat was the main trigger for this big patch rollout for Firefox, and it involves a feature that Internet Explorer doesn't support by default. All in all, this is a very minor update for what is essentially a new browser—version 1.0, after all.
However, keep in mind that Firefox has seen wide use and testing for much longer than any commercial product could stay in the beta phase. I would only caution managers to remember that 25 million downloads doesn't mean 25 million regular users.
On a personal note, I actually use both Firefox 1.0 and IE6 on a daily basis—and not just for testing. Each one has its own advantages, particularly when dealing with some Java sites.
Also watch for …
- The Bank of America lost tapes with the financial data of more than a million federal employees, including members of Congress. Look for this to trigger calls for federal legislation—especially after a few senators get hacked.
- ChoicePoint suffered a security breach that involved the financial data of nearly 150,000 people who had probably never even heard of the company, and senators have already called for new laws. But hold on to your hats: The biggest threat likely comes from even more obscure databases, such as those maintained by Westlaw or LexisNexis.
- Microsoft XP users need to remember that April 12 is the deadline when the Automatic Update feature begins triggering your system to download and install Service Pack 2. If you aren't prepared to update from XP or XP SP1, you better check your update settings.