We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,821 News Articles

Attack code published for Firefox flaw

Users of version 1.5 beware

A hacker published code yesterday that exploits a vulnerability found in the latest version of the Mozilla Foundation's Firefox browser.

The code, which targets the Firefox 1.5 browser, was posted on the Metasploit Project site by a hacker known as HD Moore. Metasploit is a widely used hacking tool.

Moore said a hacker by the name of Georgi Guninski reported the flaw to the Mozilla Foundation on 6 December last year, and that he had simply implemented and posted the technique described by Guninski.

Mozilla published an advisory about the exploit last Wednesday as it released the Firefox 1.5.0.1 browser, which included a patch for the flaw. According to the advisory, the vulnerability, which had been rated as moderate, causes a corruption in the browser's memory that could be exploited to run arbitrary code – a hacker could take over a Firefox 1.5 user's system by tricking them into viewing a maliciously encoded web page.

Hacker Aviv Raff criticised Mozilla yesterday on his blog for under-rating the flaw. He has lambasted the open-source group in the past for downplaying the seriousness of vulnerabilities that have been found in its software.

"My guess is that it is waiting for an exploit in the wild before it is going to rate any exploitable memory corruption vulnerability as 'critical'," Raff wrote.

Chris Beard, vice-president of products at Mozilla, said yesterday that the company was not aware of any known exploits to the flaw when it published the advisory, and so rated the vulnerability as moderate. However, the flaw will now be reclassified as critical since there is a possibility for remote code execution, he said.

The only version of the browser that is affected by the flaw is Firefox 1.5; older versions do not appear to be vulnerable, according to Mozilla. Moreover, most Firefox 1.5 users should now have automatically downloaded the software patch, thanks to the built-in automatic updates that Firefox now uses.

Thunderbird 1.5, the latest version of the group's email application, could be vulnerable to the flaw if JavaScript is enabled in mail, Mozilla's advisory also warned. However, JavaScript enablement is not a default setting in Thunderbird, according to the organisation.


IDG UK Sites

5 things we want to see in Android M: New features and fixes

IDG UK Sites

iPad mini 3 release date rumours: 'iPad mini Air' will be 30 percent thinner than current model

IDG UK Sites

Introducing generation tech

IDG UK Sites

This animated film reveals the importance of designing for everyone