Mozilla Issues Patches for Firefox Installation Bugs

The Mozilla Foundation has readied security patches to thwart what security firm Secunia reported earlier this week as two "extremely critical" flaws in its Firefox browser.

Secunia said the vulnerabilities could be exploited by malicious people who wish to take control of victims' computers. Firefox executives are hoping the firm will downgrade the classification once the patches are fully distributed.

Chris Hofmann, director of engineering of Mozilla Foundation, told LinuxInsider that fixes are currently available in 12 of the 37 languages Firefox offers. Fixes for the remaining languages will be ready in the next 24-28 hours.

"We provided a workaround earlier this week. We advised users to disable the list of sites from which they allow software updates," Hofmann said. "The fix that we put out last night allows users to turn that list back on."

Reviewing the Bugs

The first problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list, Secunia said. This can be exploited to execute arbitrary HTML and script code in a user's browser session.

The second problem is input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. Secunia said this can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL. Successful exploitation requires that the site is allowed to install software.

Hofmann said staying ahead of malicious code writers is a continual process for the open-source software group. "We want to continue to encourage security researchers and experts to help us improve the browser," he said. "These contributors help us create a strong architecture around the browser that will protect us from serious exploits from ever appearing."

'All-Eyes' Development Approach

Open-source software companies like Mozilla have an advantage over commercial companies, said Hofmann, because the availability of the source code opens the door for new perspectives.

"We actually have a very passionate community of developers that are working on security and privacy," he said. "When these types of reports come in, they respond very quickly to help us get the patch put together and tested and out to users."

In the browser wars, the bottom line is becoming more about security on a World Wide Web full of hackers, crackers and online thieves, according to industry watchers. Jupiter Research analyst Joe Wilcox told LinuxInsider that it remains to be seen which browser offers the best protection.

Providing Cover

"There's the argument that the open-source, all-eyes approach keeps the software more secure in the first place and provides more resources for fixing problems when they are uncovered," he said. "The commercial argument says because outsiders generally don't see the source code it's more difficult for them to uncover or generate vulnerabilities. The commercial camp says it is also able to respond faster.

All debate aside, Wilcox said it boils down to quick response times when bugs are discovered. In response, Hofmann said Mozilla is committed to that quick response with the help of its growing community.