Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!
The Mozilla Foundation has released a Firefox update to
patch a spoofing vulnerability and to fix a problem that caused Firefox 1.0 to
Since its November 2004 release, the first full version of Firefox
(1.0) has seen more than 25 million downloads in 100 days. But vulnerabilities
have also cropped up in those 100 days, the most serious of which didn’t affect
Internet Explorer. The vulnerabilities include one that can cause the browser
to crash and another that allows URL address spoofing and could enable
successful phishing attacks.
However, the cumulative threat from all of the
vulnerabilities is actually rather weak. So far, I haven’t seen any reports of
exploits. But the update itself doesn’t appear to cause any serious problems
either, so most users will probably want to make the upgrade.
The main purpose for the update is to provide additional
defense against URL spoofing and phishing attacks. The phishing problem
involves the Internationalized
Domain Name (IDN) homograph spoofing bug. You can find a detailed explanation of this
threat on Shmoo.com.
Firefox users that have switched on the automatic update
feature may already have this upgrade. Users who don’t take advantage of this
feature should know about a few potential problems with this
upgrade—particularly since the cumulative threats are rather mild.
To prevent the automatic update until you’ve evaluated the
new release, go to Tools | Options | Advanced Options | Software Update, and deselect
the check box if you don’t want your version of Firefox updated automatically. While
Firefox 1.0’s Help reports that this feature is on by default, it wasn’t set as
the default when I installed 1.0.
In its weekly security bulletin, SANS reported two minor
problems with the update, one of which involves the resetting of the home page.
The second problem was one I had already experienced with Firefox 1.0, so I’m
not positive it’s really a new problem. In fact, it isn’t really a problem at
all; it’s just the way the program seems to work and involves how browser
windows open from within Microsoft Word.
One major bug with the update process causes Windows and
Linux versions to crash when users type in the address bar. This occurs if you
copied the new version to the same directory where you installed a previous
zipped version . As recommended by Mozilla, you can avoid this bug by changing
the directory where you install the new version.
Mozilla includes information on its Web site about fixing
the problem after it occurs. It details the fix under the Important Note section
near the top of its Release
Notes Web page. Basically, you must wipe out the new installation and start
According to the Known
Vulnerabilities In Mozilla Web page, other security-related vulnerabilities
fixed in version 1.0.1 include:
2005-28: Unsafe /tmp/plugtmp directory exploitable to erase user’s files
2005-27: Use of plug-ins to load privileged content
2005-25: Image drag-and-drop executable spoofing
2005-24: HTTP auth prompt tab spoofing
2005-23: Download dialog source spoofing
2005-22: Download dialog spoofing using Content-Disposition header
2005-21: Overwrite arbitrary files downloading .lnk twice
2005-20: XSLT can include stylesheets from arbitrary hosts
2005-19: Autocomplete data leak
2005-18: Memory overwrite in string library
2005-17: Install source spoofing with user:pass@host
2005-16: Spoofing download and security dialogs with overlapping windows
2005-15: Heap overflow possible in UTF8-to-Unicode conversion
2005-14: SSL “secure site” indicator spoofing
2005-13: Window Injection Spoofing
The spoofing vulnerability applies to any Firefox version
prior to 1.0.1.
Risk level – Moderate
The major threat fixed by this update is an address spoofing
problem. The other security threats addressed by this update appear to be very
Your best bet is to apply the update. While workarounds
are available, they are too complex to explain here.
I find it quite ironic that the IDN spoofing threat was the
main trigger for this big patch rollout for Firefox, and it involves a feature
that Internet Explorer doesn’t support by default. All in all, this is a very
minor update for what is essentially a new browser—version 1.0, after all.
However, keep in mind that Firefox has seen wide use and
testing for much longer than any commercial product could stay in the beta
phase. I would only caution managers to remember that 25 million downloads
doesn’t mean 25 million regular
On a personal note, I actually use both Firefox 1.0 and IE6 on
a daily basis—and not just for testing. Each one has its own advantages,
particularly when dealing with some Java sites.
Also watch for …
Bank of America lost tapes
with the financial data of more than a million federal employees,
including members of Congress. Look
for this to trigger calls for federal legislation—especially after a
few senators get hacked.
suffered a security breach that involved the financial data of nearly
150,000 people who had probably never even heard of the company, and senators
have already called for new laws. But hold on to your hats: The biggest
threat likely comes from even more obscure databases, such as those
maintained by Westlaw or LexisNexis.
XP users need to remember that April 12 is the
deadline when the Automatic Update feature begins triggering your
system to download and install Service Pack 2. If you aren’t prepared to
update from XP or XP SP1, you better check your update settings.