Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

The Mozilla Foundation has released a Firefox update to
patch a spoofing vulnerability and to fix a problem that caused Firefox 1.0 to
crash.

Details

Since its November 2004 release, the first full version of Firefox
(1.0) has seen more than 25 million downloads in 100 days. But vulnerabilities
have also cropped up in those 100 days, the most serious of which didn’t affect
Internet Explorer. The vulnerabilities include one that can cause the browser
to crash and another that allows URL address spoofing and could enable
successful phishing attacks.

However, the cumulative threat from all of the
vulnerabilities is actually rather weak. So far, I haven’t seen any reports of
exploits. But the update itself doesn’t appear to cause any serious problems
either, so most users will probably want to make the upgrade.

The main purpose for the update is to provide additional
defense against URL spoofing and phishing attacks. The phishing problem
involves the Internationalized
Domain Name (IDN) homograph spoofing bug. You can find a detailed explanation of this
threat on Shmoo.com.

Firefox users that have switched on the automatic update
feature may already have this upgrade. Users who don’t take advantage of this
feature should know about a few potential problems with this
upgrade—particularly since the cumulative threats are rather mild.

To prevent the automatic update until you’ve evaluated the
new release, go to Tools | Options | Advanced Options | Software Update, and deselect
the check box if you don’t want your version of Firefox updated automatically. While
Firefox 1.0’s Help reports that this feature is on by default, it wasn’t set as
the default when I installed 1.0.

In its weekly security bulletin, SANS reported two minor
problems with the update, one of which involves the resetting of the home page.
The second problem was one I had already experienced with Firefox 1.0, so I’m
not positive it’s really a new problem. In fact, it isn’t really a problem at
all; it’s just the way the program seems to work and involves how browser
windows open from within Microsoft Word.

One major bug with the update process causes Windows and
Linux versions to crash when users type in the address bar. This occurs if you
copied the new version to the same directory where you installed a previous
zipped version . As recommended by Mozilla, you can avoid this bug by changing
the directory where you install the new version.

Mozilla includes information on its Web site about fixing
the problem after it occurs. It details the fix under the Important Note section
near the top of its Release
Notes Web page. Basically, you must wipe out the new installation and start
over.

According to the Known
Vulnerabilities In Mozilla Web page, other security-related vulnerabilities
fixed in version 1.0.1 include:

  • MFSA
    2005-28: Unsafe /tmp/plugtmp directory exploitable to erase user’s files
  • MFSA
    2005-27: Use of plug-ins to load privileged content
  • MFSA
    2005-26: Cross-site scripting by dropping JavaScript: link on tab
  • MFSA
    2005-25: Image drag-and-drop executable spoofing
  • MFSA
    2005-24: HTTP auth prompt tab spoofing
  • MFSA
    2005-23: Download dialog source spoofing
  • MFSA
    2005-22: Download dialog spoofing using Content-Disposition header
  • MFSA
    2005-21: Overwrite arbitrary files downloading .lnk twice
  • MFSA
    2005-20: XSLT can include stylesheets from arbitrary hosts
  • MFSA
    2005-19: Autocomplete data leak
  • MFSA
    2005-18: Memory overwrite in string library
  • MFSA
    2005-17: Install source spoofing with user:pass@host
  • MFSA
    2005-16: Spoofing download and security dialogs with overlapping windows
  • MFSA
    2005-15: Heap overflow possible in UTF8-to-Unicode conversion
  • MFSA
    2005-14: SSL “secure site” indicator spoofing
  • MFSA
    2005-13: Window Injection Spoofing

Applicability

The spoofing vulnerability applies to any Firefox version
prior to 1.0.1.

Risk level – Moderate

The major threat fixed by this update is an address spoofing
problem. The other security threats addressed by this update appear to be very
minor.

Fix

Your best bet is to apply the update. While workarounds
are available, they are too complex to explain here.

Final word

I find it quite ironic that the IDN spoofing threat was the
main trigger for this big patch rollout for Firefox, and it involves a feature
that Internet Explorer doesn’t support by default. All in all, this is a very
minor update for what is essentially a new browser—version 1.0, after all.

However, keep in mind that Firefox has seen wide use and
testing for much longer than any commercial product could stay in the beta
phase. I would only caution managers to remember that 25 million downloads
doesn’t mean 25 million regular
users.

On a personal note, I actually use both Firefox 1.0 and IE6 on
a daily basis—and not just for testing. Each one has its own advantages,
particularly when dealing with some Java sites.

Also watch for …