New Firefox Vulnerability Pushes Latest Update Newly Identified Vulnerability Patched in Firefox 1.0.1 Sean Michael Kerner
If you're a Mozilla Firefox user, there's another reason for you to update to the latest version of the upstart browser released last week.
Buried in the list of Firefox security updates is a critical heap overflow issue that hit the public disclosure lists officially just today.
Security firm iDefense issued a public advisory today titled, "Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design Error." The vulnerability could allow an attacker to execute arbitrary code and/or crash the browser.
According to iDefense's security disclosure timeline, the vulnerability was reported to the Mozilla Foundation on Feb. 9, and Mozilla responded that day. "Coordinated" public disclosure was supposed to occur today.
The vulnerability involves the remote exploitation of a "design error" that could potentially allow a malicious remote miscreant to trigger a heap
(define) corruption.
According to the iDefense advisory, the vulnerability specifically exists in string-handling functions. The flaw involves the way those functions handle memory, which could potentially allow memory to be overwritten in a fixed location if, during string growth, memory reallocation fails.
According to Mozilla's advisory, "creating the exact conditions for Exploitation — including running out of memory at just the right moment — is unlikely."
That said, iDefense's advisory notes that the two items required to execute the exploit — knowing the browser version and being able to cause memory exhaustion — are entirely plausible. The security firm wrote in its advisory that the memory exhaustion could be triggered by a JavaScript ("to allocate enough memory to trigger this vulnerability") or even compressed data.
According to iDefense, even a failed exploitation attempt could result in the browser crashing. A successful exploitation attempt would allow for arbitrary code execution with the same privileges of the logged-in user. Mozilla's update last week supposedly fixes the issue.
Firefox's security concerns come amid new reports of the open source browser's growing market share. According to Web analytics firm OneStat.com, Mozilla browsers, including Firefox, now command an 8.45 percent market share. This is up from November when its share was only 7.53 percent. Microsoft's Internet Explorer still dominates at 87.28 percent.
"It seems that global usage share of Mozilla's Firefox is still increasing, and the total global usage share of Microsoft's Internet Explorer is still decreasing," said Niels Brinkman, co-founder of OneStat.com, in a statement. "It looks like that browser users of Internet Explorer 5 are switching to Mozilla Firefox instead of upgrading to Internet Explorer 6.0."
