—A patch for a major Firefox security flaw—a buffer overflow in "legacy Netscape code" which is still in the open-source browser for animated GIF images—has been issued by the Mozilla Foundation, right after network protection firm Internet Security Systems discovered the flaw and before the public even knew of the issue.
So said Mozilla Foundation engineering director Chris Hofmann March 23, as Firefox Version 1.02 was released. He added that similar memory problems affected Mozilla browsers and Microsoft Internet Explorer in the past, allowing malicious attackers to exploit them by creating image files that could execute programs compromising a system if a user viewed the images in their browsers.
"We are staying ahead and being proactive in fixing the code," Hofmann told reporters. "The deciding factor, in this case, was the potential for this: It's a little easier for hackers to turn it into an exploit that could be dangerous."
Security and antivirus maker Symantec said in an Internet Threat Report earlier this week that, during the last six months of 2004, 21 security vulnerabilities affected Mozilla browsers as a whole while thirteen affected Internet Explorers—but only seven of the Mozilla flaws were considered highly severe, compared to nine in IE.
To Hofmann, that means Mozilla has done well in securing Firefox code. "As the data shows, the flaws are of lesser severity," he said. "The kinds of things the Microsoft's browser is vulnerable to is much more worrisome." And to Mozilla president Mitchell Baker, it means it's easy to preduct Firefox won't have as many security flaws as IE.
Microsoft, for its part, released a statement saying IE has a proven track record and the company "continues to make significant investments in Internet Explorer, including Windows XP Service Pack 2, which features a much stronger security infrastructure to help thwart malware attacks, block suspicious content, and eliminate many common spoofing attempts."
Mozilla, meanwhile, said they would continue examining the legacy code remaining in Firefox and its other browsers. "Most of the things that we are looking at and fixing," Hofmann said, "are potential exploits that no one has figured out how to exploit yet."
