Mozilla Fixes Firefox Flaw With Workaround
On Friday, just hours after Mozilla released the long-awaited Beta 1 of Firefox 1.5, a researcher posted information and proof-of-concept code for a vulnerability that could let attackers gain complete control of a PC simply by enticing users to a malicious Web site.
"We&re looking into the problem," said Mike Schroepfer, Mozilla's director of engineering, on Friday in an interview, "and we'll respond with a patch as quickly as possible."
Although the fix Mozilla posted wasn't a patch per se, it does eliminate the vulnerability in the browser's support for international domain names, (IDN). Users can either follow the directions for manually disabling IDN posted on the Mozilla site, or download and install a small patch which makes the changes.
"IDN functionality will be restored in a future product update," promised Mozilla in the patch alert.
This isn't the first time that problems with IDN has plagued Mozilla's browsers. Earlier this year, IDN support within Firefox was disabled in response to a spoofing vulnerability. IDN support was later turned back on in a follow-up version, however.
"This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1," said Mozilla in a statement back in February. (The "Firefox 1.1" tag was later dropped in favor of version 1.5, which released in beta form on Friday.)