The first major
security flaw in the release branch of Firefox 3.5 may have been fixed, but the fun isn't over yet: another serious flaw has been discovered in the browser.
Despite being recently updated to version 3.5.1,
SecurityFocus is reporting on a stack buffer overflow vulnerability which affects both the original 3.5 release of Firefox as well as the latest 3.5.1 release.
The vulnerability, which comes about from the software's Unicode text handling system, allows a remote attacker to execute arbitrary code simply by embedding it into a web site: as soon as the visitor hits the affected page, the software crashes – leading to a denial of service attack – and under certain conditions the code will be executed by Windows.
With a simple
exploit already available, it's fair to say that if the ne'er-do-wells aren't already using this as an attack vector it won't take them long to wise up.
The vulnerability is the second in the last week to target the latest release branch of the popular open-source browser, and again there is no patch yet available from the Mozilla Foundation. Worse still, there appears to be no easy workaround for the issue this time – although once again something like the NoScript plugin would protect you from attack by untrusted pages, as the exploit relies on Javascript in order to execute.
Are you starting to question just how much work was done checking the security of this latest Firefox branch or is the Mozilla Foundation just having a bad week? Share your thoughts over in the forums.
Want to comment? Please log in.