Security researchers have discovered an unpatched vulnerability in Firefox that might be used to crash vulnarable systems. Hackers might also use the security bug to trick surfers into running malicious code by simply fooling them into visiting a maliciously constructed website.

This is a class of problem well known to IE users but it will come as a nasty shock to users of the alternative browser, which has been seen as something of a safe haven from hacker attack even though this assumption has come under question over recent months. The vulnerability, discovered by Tom Ferris of Security Protocols, applies to Firefox version 1.0.6. Previous versions may also be affected but this has yet to be confirmed. The security bug stems from an error in handling a URL that contains the 0xAD character in its domain name, giving rise to possible heap-based buffer overflow attacks. Security notification service Secunia describes the vulnerability as "highly critical". It advises users not to browse untrusted websites as a precaution. This isn't exactly the easiest precaution to stick to, though it's the only one on offer just now pending a more comprehensive workaround from the Mozilla Foundation. ®

Related stories

• IE and Firefox blighted by fake login flaw (23 November 2006)
• Just how buggy is Firefox? (8 September 2006)
• Firefox under fire from multiple security bugs (18 April 2006)
• Mozilla suffers growing pains (22 September 2005)
• Mozilla disables IDN to guard against Firefox flaw (12 September 2005)
• W3C tells US Copyright Office: IE is not the only fruit (25 August 2005)
• Firefox loses ground to IE (15 August 2005)
• Mozilla postpones next Firefox release (22 July 2005)
• Hackers attack Mozilla site to spread spam (15 July 2005)
• Firefox loses its shine (13 May 2005)