Mozilla has patched a pair of security vulnerabilities in its Firefox Web browser just in time for its release of security tools at the Black Hat security conference in Las Vegas this week.
The most notable security fix is the critical fix for a flaw that Mozilla first blamed on browser rival Microsoft. Mozilla Foundation Security Advisory 2007-27 is the open source group's second attempt at fixing a flaw dealing with passing bad addresses and information to external programs.
Mozilla has been struggling with versions of the flaw since it was first when it was first reported July 10. The actual flaw involves the "firefoxurl://" uniform resource identifier (URI) handler, which enables Firefox to call on other Web resources.
In the Firefox 220.127.116.11 release issued July 18, Mozilla claimed to have fixed the flaw and noted that Microsoft still had similar issues and that the fix took care of Firefox.
However, Mozilla Chief Security Officer Window Snyder admitted that Firefox was still at risk from the flaw a week later. She pledged at the time that Mozilla would move quickly to fix the issue properly.
A week later, here it is, Firefox 18.104.22.168.
"Jesper Johansson pointed out that Mozilla did not percent-encode spaces and double-quotes in URIs handed off to external programs for handling, which can cause the receiving program to mistakenly interpret a single URI as multiple arguments," Mozilla explained in its latest advisory.
"The danger depends on the arguments supported by the specific receiving program, though at the very least we know Firefox (and Thunderbird) 22.214.171.124 and older could be used to run arbitrary script."
The second fix in Firefox 126.96.36.199 also fixes an issue in Firefox that Mozilla thought it had fixed in the Firefox 188.8.131.52 release. Mozilla Foundation Security Advisory 2007-20 describes a privilege-escalation flaw.
According to Mozilla's advisory, the flaw was introduced by the fix for a frame-spoofing flaw that was fixed in the 184.108.40.206 release.
In addition to updating Firefox, Mozilla has also updated its Thunderbird e-mail client for the same issues, to version 220.127.116.11 as well. The future of Thunderbird itself is currently in question.
In a series of blog posts over the last week, Mozilla's CEO Mitchell Baker has indicated that she would like to see Thunderbird spun out from under the auspices of the Mozilla Corporation. No decisions have yet been made, nor has a timeline been published as to when Thunderbird might be moved.
The Mozilla release notes for the 18.104.22.168 releases do not indicate whether any flaws were fixed in Mozilla's products as a result of the open source groups own security scanning.
At Black Hat this week, Mozilla is expected to release fuzzing tools that will enable developers to break the browser in order to find and fix flaws.
Return to internet news headlines
View Internet News Archive