Firefox officials released a security update to its popular
Firefox Web browser, version 1.0.2, Wednesday.
The update fixes three known vulnerabilities in the browser, two critical
and one low-threat flaw, before they could be exploited by hackers, said Chris Hofmann, the Mozilla Foundation’s director of engineering. Developers at the organization spent the past week integrating and testing the patch.
The most critical vulnerability dealt with a GIF heap overflow
parsing flaw reported to the Mozilla Foundation a week-and-a-half ago, Hofmann
said. The vulnerability, if exploited, would have allowed an attacker to
run arbitrary code on the end user’s computer.
The second, though less critical, vulnerability patched in this latest
version involved a flaw in Firefox’s sidebar panel. If a person happened to
bookmark a Web page designed to download malware when
visited, the flaw allowed that page to execute arbitrary programs by opening
A low-level threat was also plugged in Firefox 1.0.2, which involved
tricking a user to drag-and-drop an element that bypasses the restriction on
opening privileged XUL , which are XML tags that describe what user
interface the computer is using.
This is the second security update in the past month for Firefox. In late February the Mozilla Foundation released Firefox 1.0.1, which corrected numerous bugs in the code.
Normally, Hofmann said, security updates are handled periodically, but
serious vulnerabilities are cause for putting out fixes sooner. Wednesday’s
security update was prompted by the GIF parsing flaw; the other two happened
to be ready when the update was set for release.Hofmann pointed out that the job of turning out a security update is made
much faster in the open source community.
“We’ve always had a pretty active development community that’s got a passion
for security and privacy,” he said. “When any issue is raised, they jump on
it pretty quickly.”