Mozilla offers temporary fix for Firefox flaw

By Joris Evers
Staff Writer, CNET News

Print
E-mail
Share

Related Stories: Unpatched Firefox flaw may expose users
September 9, 2005; A safe browser? No longer in the lexicon
July 7, 2005; Firefox fix plugs security holes
February 24, 2005; Phishing flaw a danger to alternative browsers
February 7, 2005

Responding to the disclosure of a serious Web browser flaw, the Mozilla Foundation offered on Friday a temporary fix to protect Firefox and Mozilla users.

The downloadable fix protects against attacks that take advantage of a new, unpatched flaw that could let attackers secretly run malicious software on users' PCs. The flaw was disclosed late Thursday by security researcher Tom Ferris, sending Mozilla staff into damage-control mode.

The problem has to do with the way the Firefox and Mozilla browsers handle International Domain Names, or IDNs, said Mike Schroepfer, director of engineering at Mozilla. IDNs are domain names that use local language characters. The fix disables support for such Web addresses, he said.

"This is a temporary work-around just to deal with the immediate issue," Schroepfer said. "We're working on a future release in which we will actually fix the problem and re-enable the IDN feature." Switching off IDN support impacts a subset of Firefox and Mozilla users who actually use such special domain names, he said.

Though there is no known attack that takes advantage of the flaw, Mozilla advises Firefox and Mozilla users to disable IDN. "Luckily we do not have any known use of this exploit, but it is fairly critical if there were to be (an attack), so this is a recommended download," Schroepfer said.

Mozilla expects to fix the vulnerability in beta 2 of Firefox 1.5, the next release of the open-source Web browser. Beta 2 is due Oct. 5 and the final release of 1.5 is expected by year's end, Schroepfer said.

In addition to the downloadable fix, Mozilla on its Web site also offers instructions to manually disable IDN: Type "about:config" in the address bar, hit Enter; type "network.enableIDN" in the filter toolbar, hit Enter; right-click the "network.enableIDN" item and select Toggle to change value to false.

IDNs have caused trouble for Mozilla in the past. A Firefox security update in February fixed a flaw that would allow domain spoofing using the special domain names. A spoofed link would seem to be a legitimate address, but instead of taking the victim to the trusted site, the link would lead to a phony Web site.

Though vulnerabilities in Microsoft's Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws. Security has been a main selling point for Firefox over IE, which has begun to see its market share dip slightly--for the first time in years.

However, Firefox has had its own security woes. Several serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don't exist.

See more CNET content tagged:
Mozilla Corp., Firefox, fix, flaw, domain name

Add a Comment (Log in or register) 11 comments

It's easy to fix,...
by September 9, 2005 6:06 PM PDT: ...if you don't need to use international domain names (i.e. most users that use a language from Western Europe).

From the article "...to manually disable IDN: type 'about:config' in the address bar, hit enter; type 'network.enableIDN' in the filter toolbar, hit enter; right-click the 'network.enableIDN' item and select toggle to change value to false."; Reply to this comment

You can Toggle it...
by Des Alba September 9, 2005 9:06 PM PDT: back and forth whenever you need to. It's advisable to keep the value at False because the challenge will be irresistable to some people to see if they can waltz through your system...; Reply to this comment

If a flaw is never exploited...

by M C September 9, 2005 10:58 PM PDT

...does it make a sound?

On Cnet it does!

Reply to this comment

Pee Off
by SmokieUK September 10, 2005 1:36 AM PDT: So vulnerabilities shouldn't be reported unless they're exploited? I'm fed up of people like you, always putting CNET down with your "this isn't news" etc. Hello? It's a [b]tech news[/b] site!

If you don't like reading CNET then go away!; View reply
Processing

Which is better?

by zizzybaloobah September 12, 2005 6:33 AM PDT

Firefox, not quite 1 year old, 3 out of 22 Secunia advisories is marked as "Unpatched" in the Secunia database.
or

IE, not updated in years, 19 out of 85 Secunia advisories is marked as "Unpatched" in the Secunia database.

I've yet to switch anyone to Firefox and later find they've reverted back to IE, or that spyware, adware, and other annoyances have returned.

No matter how many times I clean up a PC, if the users insists on using IE, the problems return.

(BTW, Opera is 0 for 7 unpatched)

Reply to this comment

Just as important to note...
by Nathan Lunn September 12, 2005 9:06 AM PDT: I.E. 6.x criticality (based on 69 advisories and not the full 85 current advisories)
Extremely 14%
Highly 29%
Moderately 20%
Less 14%
Not 22%

Taken from http://secunia.com/product/11/

Firefox 1.x criticality (based on 22 current advisories)
Extremely 0%
Highly 23%
Moderately 36%
Less 32%
Not 9%

Taken from http://secunia.com/product/4227/

*Another* security flaw?

by September 12, 2005 10:20 AM PDT

I think firefox is starting to find out that it's not so easy to keep its browser secure once it starts getting actual market share and adding more advanced features.

I tried firefox, but eh - while its functional and I still use it on occassion, I still prefer IE under XP SP2.

Reply to this comment

Reply
by unknown unknown September 12, 2005 3:12 PM PDT: I don't know that rate at which flaws are found have increased but when they are, they get more publicity.

This isn't the first time IDN has caused problems, it's been a problem in just about every major browser at some point (at least the one that support it). Fortunitly Firefox is extremely configurable and customizable so that problem features like IDN can be turned off or modified until a full blown patch can be created. If this was a flaw in IE you'd have to wait for patch tuesday.

Microsoft's development of IE is allowed to stagnate until someone starts taking market share then they play catch up.

Expect it
by hion2000 September 12, 2005 4:18 PM PDT: Firefox's greatest strength over Internet Explorer and Opera is that its Open Source. It is far more likely to find security vulnerabilities since the source is freely available. This is may seem like Firefox isn't secure, but every new flaw found and fixed pushes the next version of Firefox to a newer high in security.

Latest tech news headlines

Obama's attorney general pick: Good on privacy?
Posted in News - Politics and Law by Declan McCullagh

December 2, 2008 4:00 AM PST
IBM to start-up: Industry vet responds to recession
Posted in News - Business Tech by Jim Kerstetter

December 2, 2008 4:00 AM PST
Window Pong turns your browser into a game
Posted in Webware by Josh Lowensohn

December 1, 2008 10:57 PM PST
See all headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets: Market news, charts, SEC filings, and more; Related quotes; Microsoft (0.00%) 0.00 18.61; Dow Jones Industrials (0.00%) 0.00 8,149.09; S&P 500 (0.00%) 0.00 816.21; NASDAQ (0.00%) 0.00 1,398.07; CNET TECH (0.00%) 0.00 1,014.20

Inside CNET News

Scroll Left Scroll Right

Business Tech
IBM to start-up: Industry vet responds to recession
LogLogic's Patricia Sueltz heard a clear message about the economy from investors. But she already knows a thing or two about navigating through tough times.
Gallery
Photos: Space station marks a decade aloft
The first pieces of the International Space Station went into orbit 10 years ago. Now a full-fledged lab facility, it continues to grow.
The Open Road
MIT open sources mobile code
MIT is open sourcing a mobile project, paving the way for other universities to benefit and contribute.
Beyond Binary
Microsoft apologizes for Cashback glitches
Crush of traffic on Black Friday leads shoppers to encounter problems ranging from site sluggishness to the wrong amount of cash back showing in their account.
Video
A toast to online wine
Digital Media
EFF to court: Don't shield telecoms from illegal-spying suits
The Internet advocacy group will argue that its unconstitutional to protect telecoms after they helped Bush administration unlawfully spy on Americans.
Video
Wi-Fi while you fly
Politics and Law
Obama's attorney general pick: Good on privacy?
Eric Holder, the deputy attorney general under President Clinton, has criticized the warrantless wiretapping program. But he wanted to limit encryption use, and his views on other online policies may not be that far from the Bush administration's.
Green Tech
Ta ta, Tesla
Are the Valley-based VCs and big-wigs who back Tesla Motors really serious about asking the federal government for low-interest loans?
Gallery
Photos: Top-rated reviews of the week
Here are a few of CNET Reviews' favorite items from the past week, including Adobe suites, laptop bags, and a Panasonic flat panel TV.
Crave
Nokia's mystery device? The Nokia N97
Nokia officially unveils the Internet-focused Nokia N97, a full-QWERTY smartphone with a touch screen.
Green Tech
Obama's security adviser calls for energy action
James Jones, incoming national security adviser, is a retired general who advocates for a diverse energy supply and clean-energy technologies in the name of national security.