Mozilla: Firefox can be hacked via booby-trapped images

Summary:For the second time in a week, Mozilla patches a "critical" vulnerability that could be remotely exploitable and can lead to arbitrary code execution.

For the second time this week, Mozilla has rushed out a Firefox security update to fix a dangerous security vulnerability.

The latest vulnerability, which was discovered and reported by representatives from Red Hat, "could be attacked simply by displaying a maliciously crafted image."

The skinny from a Mozilla advisory:

follow Ryan Naraine on twitter

The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages.

This bug is remotely exploitable and can lead to arbitrary code execution. Firefox, Thunderbird and Seamonkey users could be attacked simply by displaying a maliciously crafted image.

[ SEE: Ten little things to secure your online presence ]

The open-source group shipped Firefox 10.0.2 to correct the flaw.  The fix is being distributed via the browser's silent update mechanism.

Earlier this week, Mozilla patched a separate flaw that could lead to drive-by download malware attacks if a user simply surfed to a booby-trapped web site.  Both browser updates are rated "critical," Mozilla's highest severity rating.

Topics: Browser, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.