Eight More Bugs Found In Firefox, Mozilla
The Danish security firm Secunia on Tuesday laid out the flaws, most of which could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.
Other bugs can be exploited remotely by hackers able to introduce code of their own choosing on the vulnerable machine, possibly taking control of it or giving them access to files. For example, Firefox's extensions -- its name for plug-ins -- can be manipulated to create a temporary directory that can then be exploited by attacks to delete files from the computer. Another flaw in the automatic form filling feature -- used to quickly complete forms with personal information, or even credit card numbers -- could be exploited to trick users into divulging some of that information.
Secunia collectively rated the vulnerabilities as "Moderately Critical," and said that only Firefox has been fixed. Users should download the newest edition, Firefox 1.0.1, which was released last week.
The vulnerabilities have been corrected in Mozilla, but the patched edition, 1.7.6, has not yet been officially released. The same goes for Thunderbird, the Mozilla Foundation's free e-mail client, which is also susceptible to the bugs. Both Mozilla 1.7.6 and Thunderbird 1.0.1 should roll out this week, Mozilla has said.
Firefox 1.0.1 an be downloaded from the Mozilla Web site.