We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,812 News Articles

Firefox attacked as often as Internet Explorer

Mozilla admits to Firefox, Thunderbird patches

The Mozilla Foundation last week revealed that it's had to patch several serious security flaws in its Firefox browser. The Firefox bugs also affect the SeaMonkey browser and Thunderbird email application. According to security firm Secunia, Firefox and IE 7 have been affected by a similar number of advisories so far this year, although Microsoft's Internet Explorer has been hit by more serious bugs than Firefox.

The Firefox flaws could allow an attacker to take over a system, Mozilla said. The Firefox bugs also include less serious exploits such as spoofing or security bypass.

Firefox flaws show there's no safety in numbers

While browser bug patches, even for critical flaws, have become routine, these latest Firefox alerts highlight the fact that Firefox no longer has as clear a security advantage over Microsoft's Internet Explorer as it once did.

In an advisory, Mozilla said the Firefox 2.0.0.4 and 1.5.0.12 update releases had fixed bugs that appeared to allow remote system access.

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," the company stated.

One bug involves Firefox's JavaScript engine and could cause memory corruption and allow malicious code execution, Mozilla said.

The Thunderbird email client uses Firefox's browser engine and is thus also vulnerable - however, since JavaScript is disabled by default in Thunderbird, users are unlikely to be affected, the company said.

"We strongly discourage users from running JavaScript in mail," the company said. The advisory added that it may be possible to exploit the memory corruption vulnerability through some other means than JavaScript, such as large images.

Also fixed were an error in the "addEventListener" method which could be exploited to inject script from one site into another, and a bug in the handling of XUL pop-ups that could allow spoofing of the location bar or other browser interface components.

Secunia called the bugs "highly critical".

Get the latest on PC security threats, reviews and downloads here


IDG UK Sites

45 Best Android games: top Android games for your smartphone or tablet in 2014 (24 are free!)

IDG UK Sites

How Apple, Adobe, Microsoft and others have let us down over UltraHD and hiDPI screens

IDG UK Sites

Do you have the X-Factor too? Mix Off app puts fans in the frame

IDG UK Sites

iPad Pro release date, rumours and leaked images - 12.9 screen 'coming in 2015'