On Wednesday, the Mozilla Foundation released Firefox 1.0.7 for Windows, Mac OS X, and Linux; the new release includes a number of minor changes, but most importantly fixes two potentially serious security issues which have been widely publicized in recent days.
The most-reported problem fixes an issue with Firefox’s International Domain Name (IDN) feature, which enables Mozilla products to display and resolve Internet domain names using international and/or non-Latin character sets. Links pointing to a long domain name composed entirely of dashes could trigger a buffer overflow which (in theory) could have enabled an attacker using a carefully crafted link to execute arbitrary code on a user’s machine. Although there have been no known exploitations of this problem, Mozilla quickly posted information on how to disable IDN while they worked on a solution.
A second serious issue potentially enabling malicious URLs to execute shell scripts under Linux is also addressed in the FireFox 1.0.7 release, along with a potential crash using certain Proxy Auto-Config scripts and some bugs with earlier editions of FireFox which were re-introduced with previous 1.0.x security updates.
The Mozilla Foundation encourages all Firefox users to download and install the 1.0.7 update, which is all well and good; however, repeated attempts to download the update from the Mozilla.org site have failed for more than 30 hours, delaying access to (and coverage of) this update. The Mozilla Foundation has been repeatedly asserting that its response to security issues in its products is more rapid than commercial developers like Microsoft, but the speed of a security fix is immaterial if impacted users cannot acquire the update.
