Mozilla Firefox users who upgraded to the latest 3.5.1 release of the Web browser may not be in the clear when it comes to security problems. There are reports that the release, which patched a major security flaw in Firefox 3.5, has a vulnerability that could leave the software open to denial of service attacks, but Mozilla denies that the bug is a security risk.
SecurityFocus, a Web site that tracks Internet security issues, reports discovering a stack overflow buffer vulnerability in both Firefox 3.5 and 3.5.1. The vulnerability, which comes from the software's Unicode text handling system, could allow a remote hacker to execute arbitrary code by embedding it in a Web site and launch a denial of service attack, according to SecurityFocus.
An alert about the latest vulnerability was also issued over the weekend by the Internet Storm Center, a clearinghouse for bulletins on Internet security problems.
Mozilla in a blog post confirmed that a bug in Firefox "can result in crashes of some versions," but took issue with claims that the bug is a security risk.
The reports "have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability," Mozilla said.
The latest reports of security problems with Firefox come less than a week after a major security problem was discovered in Firefox 3.5, which was released June 30. That vulnerability was caused by a flaw in the browser's just-in-time compiler.
Last Thursday Mozilla released Firefox 3.5.1 to fix that security problem, as well as several other stability issues and a problem that was causing the browser to take a long time to load on some Microsoft Windows systems.
SHARE THIS ARTICLE
