TechWeb

Mozilla Working On Fix For Firefox Flaw

Feb 22, 2007 (10:02 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=197008167


Mozilla said it is still working on the next security update for Firefox and will release it as soon as work is completed on a fix for a flaw that lets hackers tamper with how Web sites are displayed.

The security update for the open-source browser originally was slated to be released on Feb. 21 but was pushed back in order to accommodate a fix for this new flaw " the location.hostname vulnerability -- and other security and stability issues.

Michal Zalewski, a Polish security researcher, was the first to disclose the vulnerability last week on his mailing list, Full Disclosure. He explains that the flaw is in the most recent version of the Firefox browser -- 2.0.0.1 -- but adds that it affects other recent versions, as well.

The vulnerability allows malicious Web sites to manipulate authentication cookies for third-party sites.

"The impact is quite severe: Malicious sites can manipulate authentication cookies for third-party webpages, and, by the virtue of bypassing same-origin policy, can possibly tamper with the way these sites are displayed or how they work," Zalewski writes.

Mike Schroepfer, vice president of engineering for Mozilla, says the new security update will be out "soon."

"We have not heard of any reported exploits of these vulnerabilities, however, we are working to address the issue as quickly as possible to minimize the security risk to Firefox users," he wrote in an email response to InformationWeek questions. "Mozilla takes security vulnerabilities very seriously. Our contributors have been working through the weekend to address this issue as quickly as possible."

Zalewski offers an online determination of whether your machine is at risk.