With a last-minute delay of an anticipated critical security
bulletin, Microsoft remained uncharacteristically silent on this month’s
“Patch Tuesday,” the day Redmond traditionally releases its monthly
security bulletins. We can’t say the same for Firefox, which continues to
experience the drawbacks of growing popularity with a newly discovered
vulnerability.

Details

Despite preliminary
reports from Microsoft that promised the release of a critical patch, the
software giant did not release a security bulletin this month. Rated critical,
the scheduled update even garnered some television coverage.

Days before the scheduled release, Microsoft pulled the scheduled patch
because it needed further testing. The update will likely be part of the regularly
scheduled October 11 bulletin release. However, if Microsoft deems the
threat particularly urgent, it could release the critical patches earlier.

At this time, we don’t really know which of the recently
discovered vulnerabilities the patch will address. For those who like to play
the guessing game, security vendor eEye maintains a database that shows how long known
vulnerabilities go unpatched.

While the security bulletin languishes on the back burner,
there’s plenty of other security news, and Firefox is at the top of the list. A
new critical
flaw in the Firefox browser has emerged, and the Mozilla Foundation has
also made the next-generation version of Firefox available in beta.

According to a News.com
report, hackers needed only a few hours to find a way to exploit the newly
discovered vulnerability in Firefox that can allow a remote attacker to run
arbitrary code on a compromised system. The French
Security Incident Response Team (FrSIRT) has rated the threat a
critical risk. According to FrSIRT, the problem affects Mozilla
Firefox version 1.0.6 and prior, Mozilla Firefox version 1.5 Beta 1 and prior,
and Mozilla Suite version 1.7.11 and prior. However, other Web sites also
include the current Netscape browser in the list of vulnerable software.

The problem involves the improper handling of international
domain names (IDNs). A temporary fix released
by Mozilla simply disables the IDN feature. If you’re using a Firefox
version later than 1.0.4, you can get the temporary patch from
the Mozilla Web site. If you’re using an earlier version of Firefox, you’ll
probably need to upgrade to version 1.0.6 before applying the patch.

Mozilla has released Firefox 1.5 Beta 1 (code-named Deer Park), and the new version is
currently available for free
download in Windows, Linux, and Mac OS X versions. Keep in mind that the
beta version is also vulnerable to the newly discovered IDN flaw described
above, so you should immediately patch it during installation.

Or, you might want to just hold off until early October.
That’s when Mozilla expects to release the final beta version of Firefox 1.5,
which the organization says will include a patch for the IDN vulnerability.

If you do decide to download the newest update, don’t forget
that this is a beta version. That
means some things may not work as expected, and you could experience unusual
problems. Nevertheless, this release is ready for early adopters, and it’s
essential for developers who need to prepare for its full release later this
year.

I don’t recommend relying on the beta version as your main
browser just yet. Make sure your users know that this is not the replacement for Firefox 1.0.x. The latest non-beta release
of Firefox is version 1.0.6, and that’s the one most people should be using.

Version 1.0.6 fixed two critical vulnerabilities, Mozilla Foundation
Security Advisory (MFSA) 2005-56 (“code execution through shared
function objects”) and MFSA 2005-53
(“standalone applications can run arbitrary code through the browser”),
as well as several other high- and moderate-level threats. Updating the browser
is purportedly easier, but I haven’t tested it yet.

While feature bloat is always a problem with any popular
software (and I fear this may be starting to overtake Firefox), I was surprised
and pleased to see that the beta version addressed one of my minor gripes—the
ability to reorder browser tabs. I’m not certain that I’ll actually use the
feature, but I’ve thought it might be useful several times. Here’s a look at
some other improvements:

  • The
    addition of Answers.com to the quick search box
  • Improved
    caching because the browser’s Back and Forward functions now load more
    quickly
  • Improved
    popup blocking (I haven’t been able to see any benefit, but I’ve found the
    current Firefox popup-blocking feature to work very well, so I probably
    wouldn’t notice any improvement anyway.)
  • Improved
    accessibility for visually impaired users (This is one change I was very
    happy to see, having worked on making technology more user-friendly for
    the disabled for decades.)

Final word

While I still don’t think that Firefox is significantly more
secure than the latest, fully patched version of Microsoft Internet Explorer,
it’s a very nice browser, and I use it daily—I just don’t fool myself that it’s
secure. As predicted by virtually everyone who wasn’t completely obsessed with
Microsoft bashing, Firefox’s growing popularity has made it a new favorite
target of hackers, who have quickly exposed a series of critical
vulnerabilities.

Let’s face it: All software has flaws, but some of it just
isn’t popular enough for hackers to bother dissecting. Hackers aren’t dumb—they
prefer to work in a target-rich environment.

It’s worth noting that Microsoft isn’t the only browser
vendor that rubs some security researchers the wrong way. According to the
News.com report, the discoverer of the vulnerability reported it to Mozilla on
September 4 but became frustrated (or annoyed) with the lack of response.

Instead of waiting, Tom Ferris published
the proof-of-concept on September 8. He provided this explanation in his
announcement: “Vendor Status: Mozilla was notified, and I’m guessing they
are working on a patch. Who knows though?”

Mozilla is reportedly very upset over the early disclosure.
Here’s my message to Mozilla: If you want to play with the big boys, get over
it! Remember: This is one of the major complaints users have always had about
Microsoft, and it’s, in large part, why you’re even around.

Note to vendors who brag about how secure their software is:
When a security expert notifies you of a critical vulnerability, take the time
to confirm that you received the message. After all, they’re working to improve
your product and support your users for free.

To be fair to Mozilla, I felt I had to contact the
organization to see if it had any reply to Ferris’ complaints about the lack of
response. That was September 15. As of September 19, I’m still waiting for a
response other than “Do we still have an opportunity to respond to your
inquiry this afternoon before the article is published regarding Tom Ferris’ bug
report last week?”

I received that from Mozilla’s PR agency on September 16. I
immediately replied yes, but I still haven’t heard anything back as of this
morning. Somehow I can sympathize with Tom Ferris.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.