Mozilla Issues ‘Critical’ Security Fixes

Mozilla Foundation this week released patches for its Firefox browser, its Thunderbird e-mail client, and its SeaMonkey Internet application suite, responding to an increase in security issues accompanying the open source software’s surging popularity.

Firefox has topped the 15 percent mark in browser market share. That’s still far behind Microsoft’s dominant Internet Explorer browser, but IE has been slipping of late, while Firefox’s fortunes continue to rise.

It’s unclear whether more serious attention fromattackers is on the way, but even if that should be the case, Mozilla will have certain advantages over Microsoft in dealing with such problems.

“It’s going to be easier to manage and provide a more rapidresponse,” VeriSign iDefense Rapid Response Team Director Ken Dunhamtold LinuxInsider. That’s because Firefox has a modular design with fewer lines of code and fewer interdependencies than Explorer.

Critical Fixes

The three patches that Mozilla issued this week were for security issues it deemed “critical.” However, none of the vulnerabilities they address affect the latest version of the Firefox 2.0 browser.

The first fix covered a flaw affecting Firefox, Thunderbird andSeaMonkey software that would allow running script to be recompiled. Thesecond vulnerability, affecting the same three software products, could allow forgery of an RSA signature, Mozilla said.

The third issue, which affects the same applications, could cause acomputer crash with evidence of memory corruption, Mozilla said.

Attacks Underway

Although the vast majority of Internetattacks are aimed at IE, due to its share of the browser market and its tightcoupling with Windows, some do target Firefox code, according to Dunham.

Browser-based attacks have become common, and the trend is fueled by “point and click” exploit-and-attack methods, as well as the increasing availability of attack code.

In addition to high-profile attacks reminiscent of yesterday’s wormoutbreaks, there are new tactics that canquickly turn even moderate or less critical vulnerabilities into threatsfor IT organizations, Dunham noted.

Open Defense

Although Firefox’s attractiveness to attackers may increase as the browser’s market share approaches 20 percent, it is still relatively secure, IT-Harvest Chief Research Analyst Richard Stiennon told LinuxInsider.

“To date, I haven’t seen any sign of targeting [Firefox],” he said.

Mozilla’s opensource code, which allows both good guys and bad guys to search outholes, has proven to be an advantage rather than a security liability for Firefox, Stiennon said.

“The more we hear about things Microsoft is doing now in the securityspace, we realize how great it is to have total transparency in thecode,” he remarked.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels