We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Critical Firefox fix misses several flaws

Mozilla update patches 14 vulnerabilities

Mozilla has updated Firefox to patch 14 vulnerabilities, three of them critical, but pushed out the new versions without fixing several flaws.

Firefox 2.0.0.2 and Firefox 1.5.0.10, which were originally due to launch last Wednesday, were delayed to patch a series of bugs, including some disclosed this month by Polish researcher Michal Zelewski. Two others forwarded to Mozilla developers by Zelewski, however, didn't make it into the new updates.

"Neither of those will make this release," said Daniel Veditz, of the Mozilla security team. "It is important that we get the security fixes we have into the hands of our users."

Of the bugs filed by Zelewski but not fixed in the updates, the most serious is a memory corruption flaw that could let attackers inject code remotely into Firefox-equipped machines simply by duping users into visiting a malicious web page. "Firefox is susceptible to a seemingly pretty nasty, and apparently easily exploitable, memory corruption vulnerability," wrote Zelewski in the Bugzilla database.

Security vendor Symantec agreed. "Successfully exploiting this issue may allow remote attackers to execute arbitrary machine code in the context of the affected application. This could facilitate the remote compromise of affected computers," it reported in an alert sent to subscribers to its DeepSight threat system. US-CERT, the federally funded vulnerability monitoring centre, also issued a warning on Friday, and recommended that Firefox users disable JavaScript.

Also unrepaired in the latest browser versions is a third Zelewski-discovered bug that could give cybercriminals a leg up when running phishing attacks.

Mozilla spelled out the security fixes in Firefox 2.0.0.2 and 1.5.0.10 here.

Firefox 1.5.0.10 is nearly at the end of its supported lifespan. After 24 April, Mozilla will stop issuing security and stability updates to that edition.

Firefox 2.0.0.2 can be downloaded from the Mozilla website in versions for Windows, Mac OS X and Linux in 36 languages. Users can also update current editions with the Check for Updates command in the Help menu.


IDG UK Sites

Windows 10 launch event as it happened: Read our Windows 10 launch live blog - find out first as...

IDG UK Sites

Windows 9 and the death of the OS as a must-have product

IDG UK Sites

Video trends: 4K is here โ€“ HDR video, VR and 3D audio is coming

IDG UK Sites

Best iPhone 6, iPhone 6 Plus deals: iPhone 6, iPhone 6 Plus tariffs, contracts and prices UK