Mozilla downplays risk from unpatched flaw
Nothing to exploit here. Please move along
There are conflicting reports as to whether a flaw in a new version of Firefox is exploitable or not.
Firefox 3.5.1, published only last week in rapid response to an unpatched vulnerability discovered days earlier, is itself vulnerable to a bug involving the handling of very long Unicode strings.
Reports by security researchers at the Internet Storm Centre (here) and elsewhere suggest the flaw might lend itself to code injection. Worse still, proof of concept code has been published; a development that normally reduces the odds on whether hacking attacks might follow.
However, Mozilla published an advisory on Sunday stating the unpatched flaw only poses a minimal cross-platform browser crash risk.
"While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug," Mozilla said. "Our analysis indicates that it is not, and we have seen no example of exploitability." ®