TechWeb

Mozilla, Firefox Open To Attack

Feb 28, 2005 (09:02 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=60404042


Hackers can grab control of computers by taking advantage of vulnerabilities in both the Mozilla browser suite and the Firefox stand-alone browser, a security intelligence firm said Monday.

According to Reston, Va.-based iDefense, Mozilla 1.7.3 and Firefox 1.0 -- and likely all earlier versions as well -- include a "design error" that lets hackers create a memory heap overflow, which then allow remote code execution and a compromise of the system. Even a failed attempt to exploit this flaw could bring down the browser, added iDefense.

Mozilla characterized the problem as "high" on the severity chart, but "low" on risk, in part because it said a successful exploit was dicey. "Creating the exact conditions for exploitation--including running out of memory at just the right moment--is unlikely," Mozilla said in an online security advisory.

There is no patch -- not uncommon with Mozilla browsers -- and instead users are urged to update to the newest versions, which don't include the flaw. Mozilla 1.7.6 and just-released Firefox 1.0.1 are the recommended editions. Both can be downloaded from the Mozilla Foundation Web site.

iDefense has posted details on the vulnerability on its site.