A browser with vulnerabilities that could lead to arbitrary code execution and cross-site scripting attacks. An urgent automatic update to patch eight such vulnerabilities, five of which are rated as critical and the complete set as ‘highly critical’ by security exploits tracker Secunia. And even then missing a password management vulnerability that has been known about since November which can exploit a reverse cross-site request to expose logins. The browser security supremo spinning the whole episode as ‘definitely a good thing’ proving that the client is ‘more secure.’
You might be forgiven for thinking it is the same old same old from Microsoft.
However, this is Mozilla Firefox we are talking about.
The eight vulnerabilities concerned are:
- MFSA 2006-76 XSS using outer window's Function object
- MFSA 2006-75 RSS Feed-preview referrer leak
- MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
- MFSA 2006-72 XSS by setting img.src to javascript: URI
- MFSA 2006-71 LiveConnect crash finalizing JS objects
- MFSA 2006-70 Privilege escalation using watch point
- MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
- MFSA 2006-68 Crashes with evidence of memory corruption
Continuing in the Mozilla becomes Microsoft mode, it’s also interesting to note that it has confirmed the rumors that official support for Firefox 1.5 will be discontinued as from 24th April 2007, or six months after the release of Firefox 2. If you have been slow in upgrading, at least you will now get a much more secure client than those of us who fall into the early adopter category. The trouble is, as with Microsoft applications, there will be less and less of us as the ripple effect of these security scares is felt.
Once upon a time Mozilla had a reputation for being the most secure of developers, with clients that had been properly tested and were solid on release. Unfortunately, I no longer feel confident that this remains the case. Certainly I would advise my consultancy clients not to upgrade for 3 months to give Mozilla a chance to iron out the vulnerabilities and patch the client to an acceptably safe standard.
Perhaps inevitably, methinks the Firefox fairytale does not have a happy ending...