A vulnerability has been discovered in the Firefox Web browser that could be exploited by malicious people to gain knowledge of potentially sensitive information, according to an advisory from security research firm Secunia.
The vulnerability comes less than six weeks after the Mozilla Foundation released a security update to the Firefox browser that included several fixes to guard against spoofing and arbitrary code execution.
JavaScript Error
“The vulnerability is caused due to an error in the JavaScript engine, as a ‘lambda’ replace exposes arbitrary amounts of heap memory after the end of a JavaScript string,” said the Secunia advisory.
The vulnerability has been confirmed in versions 1.0.1 and 1.0.2. Other versions may also be affected.
Secunia has released an online test to allow Firefox and Mozilla users to determine if they are affected by the bug. The advisory said the immediate solution is to disable JavaScript support.
Firefox Versus Internet Exlporer
Web vulnerabilities are not at all unusual, evidenced by Secunia’s deep online library of security advisories about Firefox, Microsoft’s Internet Explorer, Apple’s Safari and others.
In fact, Jupiter Research analyst Joe Wilcox told TechNewsWorld that vulnerabilities are just “part of the ballgame.”
“Flaws will be found because flaws exist and that’s going to be true for any Web browser,” Wilcox said. “The real question over time is whether the Mozilla folks can keep up with finding problems and then deploying patches in the most efficient manner.”
Microsoft’s Advantage
That, said Wilcox, is where Microsoft has an advantage in the marketplace. Microsoft has a team dedicated to looking for vulnerabilities, developing patches and distributing them while Firefox has limited resources.
“Just think of Windows Update, for example, and the amount that Microsoft invested in that infrastructure over many years,” Wilcox said. “That’s a very powerful distribution for getting patches out as quickly and efficiently as possible Firefox doesn’t have anything like that.”
Secunia’s online test for the bug is available via its Web site.
Firefox Patched. <yawn>
Secunia POC test passed.
Now, when will IE be updated….?
Also, what the author stating about the advantage of Microsoft. It is only the "fact," not the "truth." The truth is that Microsoft does not normally keep up fixing security holes for the past few years. Also, the problem of security in ActiveX has not been completely solved, which is worse problem compared to problems residing in other browsers (e.g. Firefox or Opera).
The comment about no equivalent to Windows Update from Jupiter research is mostly incorrect. Firefox has a built in tool to auto-update itself from the network. In the upper right next to the animated transfer icon and right under the Maximize button it will show a little orange button with an up-arrow when there is a new update out for Firefox. Clicking on it will automatically download and install the update.