Mozilla To Update Firefox Password Bug

The most recent Firefox glitch prevents access to passwords with international characters in the Web address, the login or the password itself. Another update is anticipated.

"There is no permanent data loss, the saved data is just inaccessible," said Firefox lead Mike Beltzner in a posting on the Mozilla site. "While this doesn't affect all Firefox users, it is a significant regression and has triggered a fast-release Firefox 3.0.3 which will contain a single fix for this issue."

Researchers detected the vulnerability just two days after Mozilla issued a large patch load for Firefox 3.0, which repaired 11 vulnerabilities in Microsoft's Windows, Max OS X and Linux. The cross-platform patch bundle included a fix for a critical "click hijacking" bug that could be exploited by remote attackers to force users to download a malicious file.

If left unpatched, an attacker could exploit the click hijacking bug to take control of the links a user clicks when visiting a malicious Web site. Once users are on the maliciously crafted Web page, attackers can force their victims to open anything on the page without their knowledge.

Altogether, Firefox version 3.0.2 repaired a total of six errors deemed critical -- including four memory corruption bugs residing in the Web browser's graphics rendering, layout and JavaScript engines -- which could allow malicious attackers to execute arbitrary code on a user's system or crash a vulnerable application.

"Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," said Mozilla in its advisory.

Detected vulnerabilities fixed by the Firefox patch allowed attackers to bypass security restrictions, expose sensitive data or cause a denial of service attack, as well as enable attackers to execute malicious code on users' computers.

The most recent patch prevents attackers from bypassing script filters and unleashing cross site scripting attacks caused by a bug that allowed the HTML parser to ignore certain characters if they were HTML-escaped.

Another fix repairs a stability error that caused browsers with customized tool bars to delete the back and forward buttons.

In order to reduce the risk of a security attack, Mozilla encourages Firefox 2.0 users to upgrade their Web browsers to the latest version as soon as possible. Users can download the current version 3.0.2 from the Mozilla site. Firefox version 3.0.3 is ready and will likely be available for download some time next week.