Mozilla Patches Things Up

Days after Firefox's zero-day scare, Mozilla patches a new crop of vulnerabilities

Tim Wilson, Editor in Chief, Dark Reading, Contributor

October 5, 2006

1 Min Read

As it turns out, there were some flaws in Mozilla's software after all.

The open source company today issued a series of patches for vulnerabilities exposed recently in Firefox, Thunderbird, and SeaMonkey, and recommended that users patch their systems immediately.

The patches come on the heels of a scare over a "zero-day" vulnerability in Firefox that was alleged by a hacker at the ToorCon conference earlier this week. In the end, the scare was overblown -- the hacker later conceded that the vulnerability only allows users to crash the browser, not control it. (See Zero-Day: Won't Go Away.)

The new vulnerabilities are very real, experts say. Two researchers -- Fernando Ribeiro and Priit Laes -- separately found errors that could lead to denial of service attacks, and possibly remote code execution, in Mozilla software.

Another researcher, Daniel Bleichenbacher, found an implementation error in RSA signature verification that could cause Mozilla applications to incorrectly trust SSL certificates. And George Guninski demonstrated that even with JavaScript disabled in Mozilla's Thunderbird messaging app, an attacker could still execute script attacks when emails are viewed, replied to, or forwarded.

Aside from the named discoveries, Mozilla reported "multiple unspecified vulnerabilities" in Firefox, Thunderbird, and SeaMonkey that could allow an attacker to cause a denial of service, corrupt memory, "and possibly execute arbitrary code."

Mozilla users can eliminate the vulnerabilities by installing patches and updates, the vendor said.

— Tim Wilson, Site Editor, Dark Reading

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights