Security bug found in latest version of Firefox

By on

An unpatched vulnerability in version 3.5 of Firefox, which was released last month, could enable a hacker to remotely run arbitrary code on users' machines, security firm Secunia said in an advisory.

The vulnerability arises when the browser processes JavaScript code to handle HTML font tags, the advisory said. An exploit can cause a memory corruption buffer overflow, which could lead to a compromise on an affected system.

“If your browser (Internet Explorer, Firefox, etc.) or its plug-ins (Adobe Flash Player, QuickTime, Sun Java, etc.) contain vulnerabilities, then you're exposed to security threats every single time you visit a website,” Secunia spokesman Mikkel Winther told in an email.

No patch is available yet from Mozilla, though exploit code has been posted on exploit repository milw0rm, which has reopened after temporarily shutting down.

Until a patch from Mozilla is available, US-CERT has encouraged users and administrators to disable JavaScript to mitigate any risks associated with the vulnerability. On its site, US-CERT describes a method to turn JavaScript off.

If that is untenable, Secunia said the best way to avoid being infected is to practise safe web surfing.

“We can only recommend that users refrain from visiting untrusted websites,” Winther said.

See original article on

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?