A day after Symantec’s newest Internet Security Threat Report claimed that Firefox has twice the number of vulnerabilities as Internet Explorer, Mozilla released a security update of its popular open-source Web browser.
Released today, Firefox 1.0.7., is billed as a security and stability update in response to a flaw announced yesterday. The patches fix what was described as an international domain name (IDN) buffer overflow vulnerability and Linux command line URL parsing flaw.
The flaw could allow an attacker to execute arbitrary commands on a victim’s system. The bug exists in the Linux shell scripts that Firefox and theMozilla Application Suite rely on to parse URLs supplied on the command line or by external programs.
If the supplied URL contains any Linux commands enclosed in backtics, these will be executed before Firefox or the Mozilla Application Suite tries to open the URL. Variables such as $HOME will also be expanded.
Detailing the Flaw
Mozilla said while this flaw cannot be exploited solely from within Firefox or the Mozilla Application Suite itself, an attacker could take advantage of the vulnerability by tricking a victim into following a malicious link in an external program (e.g., an e-mail client or Instant Messaging application) on a Linux system where Firefox or the Mozilla Application Suite is the default browser.
For example, consider a Linux user who uses Firefox as his default Web browser and Mozilla Thunderbird as his or her default e-mail client. An attacker could send an e-mail to this user containing a link to http://local’find’host.
When the user clicks on this link in Thunderbird, Firefox’s URL-parsing shell script will be invoked and will execute the find command before calling Firefox to open the URL. Users can avoid this vulnerability by not following links in external programs, particularly suspicious links found in e-mails, instant messages or chat conversations.
Resolving Previous Regressions
There are also other security and stability changes in Firefox 1.0.7, including a fix for a crash experienced when using certain Proxy Auto-Config scripts. In addition, some regressions introduced by previous 1.0.x security updates have been resolved.
The Mozilla Foundation previously issued a patch for Firefox 1.0.6 that protected users against the IDN link buffer overflow flaw at the expense of removing support for IDNs.
Firefox 1.0.7 has a more permanent solution that does not involve disabling IDN functionality and any users who installed the patch will find that IDN support is restored when they upgrade.
Call for In-Depth Security
Michael Sutton, director of the iDefense Lab, told LinuxInsider that given the various reports citing flaws in most every browser, it’s a mistake for companies to base browser selections on security alone.
“Security is certainly very important, but organizations should be applying defense in-depth. That means that you should have multiple layers of defense,” Sutton said. “You shouldn’t be relying one security measure, because that will be the weak link in your chain.”
Sutton said a year ago the cry was, “switch to Firefox because IE has too many flaws.” Today, he’s hearing a cry to switch to Opera. He called it an indefinite race for security in which there is no finish line.
“It goes beyond choosing a secure application,” Sutton said. “Companies need to focus putting controls in place to make sure the application is secure. That means focusing on the infrastructure and users on all levels.”