The Mozilla Foundation yesterday released a security update to the Firefox Web browser. The patch includes several fixes to guard against spoofing and arbitrary code execution.
Firefox 1.0.1 patches several bugs, including a vulnerability in the Internationalized Domain Names (IDN), Web addresses represented by local language characters that enable Internet users to navigate and communicate online in their own languages.
The IDN vulnerability would allow hackers to spoof Web sites via phishing attacks. Phishing involves an attempt to steal the identities of Internet users by sending out e-mails or links to phony Web pages mimicking popular Web sites.
In the past, Danish security firm Secunia and others have issued warnings about phishing vulnerabilities in most Web browsers. Holes in popular browsers such as Internet Explorer could open the door to hackers hijacking pop-up windows on trusted Web sites to launch phishing attacks.
Committed to Security
Mozilla officials said Firefox 1.0.1 improves stability by displaying IDNs as “punycode” in the address bar, which will prevent attackers from spoofing the site. Punycode refers to the encoding of unicode strings into a limited character set supported by the Domain Name System and IDN.
“Regular security updates are essential for maintaining a safe browsing experience for our users,” said Chris Hofmann, director of engineering for the Mozilla Foundation, in a statement.
“The Mozilla Foundation has developed a community of users and developers who continuously provide feedback on Mozilla software, and as a result of that constant vigilance, we are able to provide quick and effective responses to security vulnerabilities.”
Lack of Developer Diligence
One security analyst said while it’s true that the recent so-called browser wars may have sparked innovation, they have also led to a lack of diligence in the security arena that is coming back to haunt some developers.
“For years there was an extreme rush to push new functionality into the browsers,” Secunia CTO Thomas Kristensen told LinuxInsider. “Not many cared about the security back then.”
“Today the vendors pay the price,” Kristensen continued. “Security researchers have started to focus on probably the most exposed and most vulnerable piece of software on the average corporate network: browsers.”
Many industry-watchers have are concerned that as Firefox continues to gain popularity, it is likely to become the target of more and more malicious attacks. Mozilla executives are betting that the open-source community will help it stay on top of security patches as it adds to its 27 million users.