Mozilla Issues 'Critical' Security Fixes
Mozilla Foundation this week released patches for its Firefox browser, its Thunderbird e-mail client, and its SeaMonkey Internet application suite, responding to an increase in security issues accompanying the open source software's surging popularity.
Firefox has topped the 15 percent mark in browser market share. That's still far behind Microsoft's dominant Internet Explorer browser, but IE has been slipping of late, while Firefox's fortunes continue to rise.
It's unclear whether more serious attention from attackers is on the way, but even if that should be the case, Mozilla will have certain advantages over Microsoft in dealing with such problems.
"It's going to be easier to manage and provide a more rapid response," VeriSign iDefense Rapid Response Team Director Ken Dunham told LinuxInsider. That's because Firefox has a modular design with fewer lines of code and fewer interdependencies than Explorer.
The three patches that Mozilla issued this week were for security issues it deemed "critical." However, none of the vulnerabilities they address affect the latest version of the Firefox 2.0 browser.
The first fix covered a flaw affecting Firefox, Thunderbird and SeaMonkey software that would allow running script to be recompiled. The second vulnerability, affecting the same three software products, could allow forgery of an RSA signature, Mozilla said.
The third issue, which affects the same applications, could cause a computer crash with evidence of memory corruption, Mozilla said.
Although the vast majority of Internet attacks are aimed at IE, due to its share of the browser market and its tight coupling with Windows, some do target Firefox code, according to Dunham.
Browser-based attacks have become common, and the trend is fueled by "point and click" exploit-and-attack methods, as well as the increasing availability of attack code.
In addition to high-profile attacks reminiscent of yesterday's worm outbreaks, there are new tactics that can quickly turn even moderate or less critical vulnerabilities into threats for IT organizations, Dunham noted.
Although Firefox's attractiveness to attackers may increase as the browser's market share approaches 20 percent, it is still relatively secure, IT-Harvest Chief Research Analyst Richard Stiennon told LinuxInsider.
"To date, I haven't seen any sign of targeting [Firefox]," he said.
Mozilla's open source code, which allows both good guys and bad guys to search out holes, has proven to be an advantage rather than a security liability for Firefox, Stiennon said.
"The more we hear about things Microsoft is doing now in the security space, we realize how great it is to have total transparency in the code," he remarked.