'Extremely Critical' Bugs Found In Firefox

A pair of unpatched vulnerabilities in Mozilla's Firefox browser could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla says.

By Gregg Keizer
TechWeb News

A pair of unpatched vulnerabilities in Mozilla's Firefox Web browser -- rated as "extremely critical" by one security firm -- could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site, Mozilla said Sunday.
Because proof-of-concept code has been leaked -- as were the vulnerabilities -- before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions" or themes, from Web sites.

The vulnerabilities were discovered by a pair of security researchers, who had notified Mozilla earlier in the month, but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers. <snip>

http://informationweek.com/story/showArticle.jhtml?articleID=163100338

Mozilla itself posted the security advisory on May 8th, the day after it was discovered. It involves the auto-update function and Java. If you turn off auto-update and clear your list of allowed sites, it probably couldn't affect you anyway.

And, to be clear, there are no known exploits of this flaw. The so-called "leak" came from a team of researchers testing security who developed a "proof of concept" about the flaws. That is, they saw a potential flaw and proved that it could be exploited. That's what people do with OpenSource. They look through the code trying to find flaws so that they can be fixed.

A more interesting angle on this is that the press is all over it, advertising it like the end of the world has come. It shows pretty clearly, I think, that FF is having an impact.

http://www.mozilla.org/security/announce/mfsa2005-42.html

auto-update on any application that has it just on GP's.

I understand the purpose of an auto-update or auto-install function. A lot of people want it. I do not, and the reason is things like this. Even under the best of conditions, you're still giving someone you don't really know temporary control over your computer.

The only thing I've ever had on my system that auto-updated is my virus checker, and that's only for the definitions file. Any changes to a program I want to do, I do manually.

It's a numbers game. There aren't a lot of punks attacking Firefox or Mozilla because they are still obscure programs. As they grow in popularity, more and more attacks will be launched.

The difference is, as the stuffed shirts in Redmond sit on their hands, the Mozilla community springs into action anytime a vulnerability is discovered. That's why I trust open-source software much more than commercial software.