Mozilla Scrambles to Close Firefox Vulnerability


In a bid to respond to a critical security vulnerability, Mozilla has released a new version of its open source Firefox Web browser ahead of schedule.

Available for Windows, Mac, and Linux users, Firefox 3.6.2 had originally been scheduled for release on March 30. But the browser made its debut earlier than expected due to a critical flaw in Firefox 3.6 that involves Firefox's WOFF (Web Open File Format) implementation, which is at risk from an integer overflow condition.

"This flaw could result in too small a memory buffer being allocated to store a downloadable font," Mozilla stated in its advisory. "An attacker could use this vulnerability to crash a victim's browser and execute arbitrary code on his/her system."

WOFF is an open file format for downloadable fonts that are used in the Firefox 3.6 browser. Previous versions of Firefox did not support WOFF, and as a result, are not at risk from the WOFF vulnerability now patched in Firefox 3.6.2.

The flaw fixed in Firefox 3.6.2 was first publicly reported at the end of February, though it had initially been rejected by Mozilla, which at the time stated that it could not confirm the security flaw as it had not received a proof-of-concept that would help it to reproduce the issue.

Mozilla also initially stated that it had not yet gotten a response from the security researcher that had initially reported the issue when it sought additional information.

On March 18, however, Mozilla said it had heard back from security researcher Evgeny Legerov, who had reported the vulnerability. With additional information from Legerov, Mozilla determined that the flaw was, in fact, legitimate and critical.

Firefox 3.6.2 is the first update for the Firefox 3.6 browser since its initial release at the end of January. Mozilla did not issue a Firefox 3.6.1 update, deciding instead to skip that version number to better stay in sync with the underlying Gecko rendering engine platform on which Firefox 3.6 is based.

The Firefox 3.6.2 fix comes just ahead of the pwn2own 2010 hacker competition, which offers up to $100,000 to security researchers who can find security vulnerabilities in Web browsers and mobile platforms. In 2009, security exploits were found in Apple Safari, Microsoft Internet Explorer, and Mozilla Firefox during that year's pwn2own event.

Now with this year's pwn2own event looming, Mozilla isn't the only browser-maker tending to security. Google Chrome and Apple's Safari have both been patched in recent weeks ahead of the event.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.