Mozilla has released a security update for its Firefox browser, claiming to pre-empt a potential spoofing vulnerability.
Firefox 1.0.1 fixes 17 security flaws, the most serious of which could allow an attacker to gain full control over a victim's PC, the Mozilla Foundation said. Firefox 1.0 was released in November and has since been downloaded more than 27 million times.
It also includes several fixes to guard against spoofing of Web addresses and the security indicator on websites. These vulnerabilities could be exploited for phishing scams, which typically use spam to drive people towards fraudulent Web pages that look like legitimate e-commerce sites.
One of the more controversial changes made in Firefox 1.0.1 is in the way the browser handles international domain names (IDNs). Domains in foreign languages will now only appear in their indecipherable ASCII code format after Mozilla decided the risk of the system being used by phishers was too great. Its move has been criticised by the Council of European National TLD Registries (CENTR), the Asia Pacific Top Level Domain Association (APTLD) and ICANN.
For protection against possible exploitation of the security flaws, users should download and install the latest version of Firefox, the Mozilla Foundation said. The organisation does not offer patches to fix the problems without having to install a new browser.
Most of these flaws also affect the Mozilla Suite, which includes a Web browser, an e-mail client, Internet Relay Chat client and Web page editor. However users of the suite are left vulnerable because no fixes are yet available. Mozilla 1.7.6, the update that fixes the issues, is due out in "a couple of weeks," according to a Mozilla Foundation spokesman.
The public warning of the security vulnerabilities is evidence that the Mozilla Foundation's products give a false sense of security, said Thor Larholm, a senior security researcher with PivX Solutions. "The only reason Mozilla and Firefox have a good track record in security with a low number of security vulnerabilities is simply because they don't tell anyone about them," Larholm said.
"The Mozilla Foundation has fixed hundreds if not thousands of security vulnerabilities over the last few years without notifying the world and without providing security patches, instead they have simply just told their users to upgrade," he said. "We have to remember that all software has security vulnerabilities, the only difference is in how we anticipate them and inform the world about their existence."