Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Another Mozilla flaw

Another Mozilla flaw

by Nikola Strahija on September 21st, 2005 A serious security flaw surfaced on Tuesday affecting only Firefox and Linux, but leaving Microsoft's Internet Explorer and Windows safe.


The bug is in the Linux shell scripts that Firefox and the Mozilla browser suite use to parse Web addresses supplied through the command line or by external programs such as email clients. Researcher Peter Zelezny discovered that commands enclosed in two ‘ signs (backticks) and included in the URL were executed by the Linux or Unix shell.

The flaw doesn't require Web interaction to be effective. If, for example, a user with affected versions of Firefox or Mozilla set as the default browser clicks on a maliciously crafted URL in an email program malicious commands would be executed before the browser was launched.

Security advisory agencies Secunia and FrSIRT both gave the flaw their most serious ratings.

The Mozilla Foundation issued a Firefox update version 1.0.7 on Wednesday fixing the flaw, as well as a week-old security bug in the handling of International Domain Names (IDN). The update can be found on the Firefox Web site.

Tristan Nitot, president of Mozilla Europe, has said Symantec's recent report which states that Linux and Firefox are not as safe, doesn’t tell the whole story. For one thing, Firefox patches arrive faster than those for Explorer, he said, pointing out that Microsoft won't even issue its monthly patch in September. More flaws are being discovered in Firefox in the short term because of its newfound popularity, but overall, Explorer's flaws are more numerous and more severe, according to Nitot.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »