Firefox patch imminent

Firefox patch imminent

Summary: Mozilla said that it plans to release Firefox 2.0.

TOPICS: Security, Browser

Mozilla said that it plans to release Firefox Feb. 7 or Feb. 8. The release will fix a high severity vulnerability.

The vulnerability, which was given a severity rating on Jan. 29, allows an attacker to swipe cookies and other critical data that can leak out of Firefox via flat files (add-ons). In a brief post, Mozilla said:

Since the security of our users is of utmost importance, the release schedule for Firefox is being pushed up as much as possible, with a current release date estimated to be February 7th or 8th.

On Jan. 29, Mozilla security chief Window Snyder said the vulnerability will be patched with Firefox, which will be pushed out “shortly.”

On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by researcher Gerry Eisenhaur on Jan. 19. Simply put, Firefox leaks information that can allow an attacker to load any javascript file on a machine. This “chrome protocol directory transveral” is in play whenever there are “flat” files–common in add ons–are installed.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Of course it's imminent

    Mozilla takes care of their apps. I would expect nothing less from them.
    • In what world?

      >"Mozilla takes care of their apps. I would expect nothing less from them"

      Hmmm. None of the bugs that were introduced with Firefox version 2 have even been acknowledged, much less fixed, by Mozilla.And (like Microsoft) there is no practical avenue for reporting flaws (without spending an entire day filling out irrelevant forms, and bouncing from webpage to webpage for the privilege). The only thing they occasionally address are the various security flaws (which Firefox wasn't supposed to have in the first place, according to all the hyperbole and fanboy talk). Sounds a lot like Microsoft, doesn't it?

      I switched to Firefox, not because of the gimmicky features which have very little practical use, but because Microsoft has made IE virtually unusable and extremely unstable. I enjoyed a few months of relaxed browsing, without memory leaks, and without random crashes. Since version 2 of Firefox, I have been forced to go back to IE to avoid memory leaks and random crashes. No, Microsoft hasn't fixed IE. Mozilla has just made Firefox worse.

      Plus ca change, plus c'est la meme chose.
  • 9 days to patch

    that's just one of the reasons FF is considered the safest browser around today.
    Hope the changes are reflected in the Ubuntu repositories soon.
    • Proactive security

      If you've been using NoScript with Firefox, you would have been protected against this exploit even before it was announced.
  • Is Firefox really safe to use it?

    This new is not good because always you can think what others security problems this browser has...
    With the inminent sale of Yahoo, Microsoft will push strong with their IE, it is not, I guess, a good moment to have that kind of troubles...
    • Perspective check

      The flaw was discovered on Saturday January 19th, and acknowledged on Tuesday January 22, with the solution expected soon.

      The last IE flaw we heard about here was worse, discovered in August and finally acknowledged by MS in January.

      Take you pick, do you want a buggy browser whose security flaws are only admitted when they are forced to (IE) or one whose security flaws are admitted on the FIRST BUSINESS DAY (Monday was a US Federal holiday) after it was found?
      • I agree, IE is buggy

        Firefox is the only browser I've been able to use successfully on my Vista laptop. IE crashes a lot, and Opera crashes even more. I rarely have a crash with Firefox. I also feel like they do a pretty decent job in keeping things patched. I'll stick with FF.
  • Patch is LATE - Hackers are happy

    How dare they leave people at the mercy of hackers for almost a month!!
  • Mozilla is very good about fixing bugs quickly

    I prefer Firefox, especially how easy it is to turn off Javascript and Java, no messing with multiple security zones all the time
  • Firefox and NoScript -

    a combination hard to beat !...

  • Larry and/or George..... Why no mention of NoScript?

    (as even the researcher recommends it)
    And is this issue primarily only on Windows?
    Are there not similar flaw/PoC & actual expoits for IE6/7?

    I have tried the Demo Poc's with IceWeasel/FF 1.5,,,, with/without NoScript. (on various Linux)

    Even using one of the suspected effected extension (tabbrowser preferences) and get a blank page or undefined.

    What should be the result for successful exploit?
    and is it just Windows?