Mozilla to release Firefox update to fix flaws

The Mozilla Foundation plans to "shortly" release new versions of its Firefox and Mozilla web browsers to address a recently disclosed serious security bug as well as several additional flaws, a representative said on Wednesday.

The decision for new, so-called point releases was made after the disclosure last week of a problem in the way the browsers handle International Domain Names, or IDNs - web addresses that use international characters. The vulnerability could let attackers secretly run malicious software on users' PCs. Hackers have been working on exploits for the flaw.

Mike Schroepfer, director of engineering at the Mozilla Foundation, said: "As soon as we got the report that users might be impacted, we began evaluating our options." Firefox version 1.0.7 and Mozilla version 1.7.12, which fix the IDN flaw, are now being tested, he said. "We're releasing as soon as we possibly can."

The testing process is to make sure the updates don't introduce any compatibility problems, he said.

In addition to patching the IDN bug, the new releases include one functionality fix and a handful of fixes for yet undisclosed security problems, Schroepfer said.

The Mozilla Foundation, which distributes and co-ordinates the development of Firefox and Mozilla, responded swiftly to the IDN bug disclosure last week and within 24 hours provided a temporary fix. Though the fix disables support for IDNs, the new updates that are now being tested will actually fix the vulnerability and re-enable IDNs, Schroepfer said.

IDNs have caused trouble for Mozilla in the past. A Firefox security update in February fixed a flaw that would allow domain spoofing using the special domain names.

As the Mozilla Foundation and the open source community were working on fixing the IDN flaw, the discoverer of that bug reported yet another issue with Firefox. Security researcher Tom Ferris on Wednesday said that Firefox1.5 beta 1 is vulnerable to a problem similar to the IDN bug he disclosed last week.

Even with the fix that disables IDN installed, a buffer overflow vulnerability exists in Firefox 1.5 beta 1, Ferris wrote on his Security Protocols website. The problem is a variant of the original IDN bug, he wrote.

Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood over the buffer.

Firefox 1.5 beta 1 was released last week and is a test version of a new Firefox browser due out by the year's end.

The Mozilla Foundation is investigating Ferris' latest report, Schroepfer said. "At this time we're not sure whether it is a vulnerability," he said.

The latest problem occurs only in the beta release, which is meant for testing only and typically has bugs. The beta has been downloaded about 500,000 times, according to Schroepfer.

Joris Evers writes for CNET News.com