Mozilla Patches Firefox, But Site Suffers Brief Outage

Welcome Guest. | Log In| Register | Membership Benefits

April 18, 2005 (12:36 PM EDT)

By Gregg Keizer , TechWeb Technology News

Mozilla's browsers have been patched against a half dozen or more vulnerabilities, the open-source group responsible for producing the popular Firefox and the older Mozilla suite said late last week.

The Mozilla.org site was offline and unavailable for nearly two hours Monday, but at the time of this posting, it was back up and running.

Firefox updated to 1.0.3 and Mozilla to 1.7.7 on Friday, both updates essentially security fixes that plugged nine and six vulnerabilities, respectively. The most substantial vulnerability was a bug in the JavaScript engine's memory heap management, which was first reported earlier this month.

Other vulnerabilities -- including some that were reported by bug hunters who were paid the $500 Mozilla bounty -- were also fixed in the updates, said Chris Hofmann, Mozilla's director of engineering, in an e-mail.

Danish security firm Secunia tagged the vulnerabilities both Firefox and Mozilla as "highly critical" and noted that most could let an attacker insert his or her own code onto a compromised machine. In several of the vulnerabilities, however, the end user has to help the attack by, for instance, opening a blocked popup.

"There have been no known exploits of the bugs patched in Firefox 1.0.3 and Mozilla 1.7.7," said Hofmann on Friday. "We work toward getting these updates to our users as quickly as possible."

By Sunday, however, exploits were circulating, according to Finnish security firm F-Secure.

Two of the bugs -- one involving a site's "favicon," the other related to the browsers' sidebar -- could be exploited using proof of concept code that F-Secure spotted on Internet mailing lists. "These exploits allow the attacker to run arbitrary commands on Firefox before version 1.0.3 and Mozilla before version 1.7.7," said F-Secure's Mikko Hypponen, the company's director of anti-virus research, in an blogged alert. "We advise all Mozilla and Firefox users to immediately patch their browsers. Otherwise you might get nasty stuff happen[ing] on your computer just by surfing to the wrong site."

Updates to Firefox and Mozilla are normally posted to the mozilla.org Web site, but neither browser yet features an patching mechanism, which requires users to download an entire new installation file that in Firefox's case, runs 4.7MB.

"We encourage all our 45+ million users to download the update," urged Hofmann.

Even while the mozilla.org site was offline, users were still able to grab a copy of Firefox 1.0.3 or Mozilla 1.7.7 direct from the group's FTP server.