Mozilla Fixes Critical Flaw With Firefox 3.6 Update
The latest version of the browser, Firefox 3.6.2, was released as a free download for Windows, Mac and Linux platforms Tuesday. The update patches an existing zero-day flaw in 3.6 that could enable hackers to execute code remotely to crash a user's system, run malicious programs or take complete control of users' computers.
The fix was initially slated for release March 30, however Mozilla was prompted to issue the fix a week early after the German governmental division that deals with cyber threats -- BurgerCERT -- began to publicly warn users to avoid the Firefox 3.6 browser until Mozilla officially released a patch.
The security flaw, which was first discovered by Evgeny Legerov of Intevydis last month, occurred as the result of an integer overflow vulnerability in the WOFF decoder. The flaw could result in a memory buffer too small to store a downloadable font that could be used by cyber criminals to launch attacks.
Versions of the open source Firefox browser previous to 3.6 are immune to the vulnerability due to the fact that they do not rely on the affected WOFF decoder, Mozilla said.
The early release of the Firefox browser recalls similar actions by France and Germany's Federal Office for Information Security that advised users to avoid using the Internet Explorer browser following the Google Aurora attacks in January, spurring Microsoft to release an emergency out-of-band patch repairing the flaw.
While so far there are no active attacks exploiting the vulnerability, Mozilla said in a blog post that it strongly recommended that Firefox 3.6 users update their browser to the latest version 3.6.2 as soon as possible, while encouraging Firefox 3 and 3.5 users to upgrade to 3.6 and then check for updates. Existing Firefox 3.6 users will receive an automated update notification within 24 to 48 hours. The security update can also be applied manually by selecting "Check for Updates" tab from the Help menu.