Feeds

Mozilla and Firefox flaws exposed

Mixed bag

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Mozilla and Firefox users were warned of a number of potentially troublesome security vulnerabilities this week.

The most serious flaw involves a buffer overflow bug in the way Mozilla processes the NNTP (news) protocol. The bug creates a means for hackers inject hostile code into vulnerable systems, providing they trick users into executing maliciously constructed news server links. All versions of Mozilla prior to 1.7.5 are affected. Firefox users are advised to make sure they are running version 1.0 to minimise any risk. The flaw was discovered by Maurycy Prodeus of Polish firm iSEC Security Research.

Next up, Secunia has discovered a flaw that creates a means to spoof the source displayed in the Firefox's download dialog box. The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0. Other versions may also be affected, Secunia warns. It advises Firefox users to avoid download links from untrusted sources pending the availability of patches from the Mozilla project.

Finally, there's a less serious problem affecting Firefox and its email client Thunderbird. Security researchers have found that temporary files are stored by the popular packages in a format that makes it possible for snoops to read the content of downloads and attachments of other users on the same machine.

An overview of these flaws and suggested workarounds can be found here. ®

Related stories

Poison applet peril affects IE, Opera and Firefox
Firefox.de in adware rumpus
Firefox 1.0 limbers up for launch
Is Microsoft creating tomorrow's IE security holes today?
MS quashes infamous Bofra bug

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.