Looks Like the Parties Over:

By Joris Evers
Staff Writer, CNET News.com

Security researchers claim to have found ways to exploit a serious bug in Firefox and Mozilla Web browsers, a sign that attacks could be on the way.

The vulnerability, which could let attackers secretly run malicious software on PCs, was disclosed on Thursday by security researcher Tom Ferris. The Mozilla Foundation, which distributes and coordinates the development of the Firefox and Mozilla browsers, responded swiftly and released a temporary fix on Friday.

The problem also affects the latest Netscape Web browser, according to security experts. Netscape, a division of Time Warner's America Online subsidiary, is investigating the issue, a company representative said Tuesday.

Disclosure of a flaw typically starts a race in the security community to exploit it. In the past few days, at least two security researchers have posted messages to popular security mailing lists claiming they have found ways attackers could take advantage of the vulnerability.

The postings said that exploits that work on Windows and Linux operating systems had been found. At the time the flaw details were disclosed, there were no known exploits for the vulnerability, beyond the one Ferris claimed to have for Windows.


Previous Next "It took only about 3 hours and 30 minutes to develop the exploit, so I might not be the only one able to write it," Berend-Jan Wever, a computer science student in the Netherlands, wrote in a posting to the Full Disclosure mailing list on Saturday. Wever said he had found an exploit that works on Windows XP and Windows Server 2003.

Wever and Ferris have kept their exploit code private, and no attacks that take advantage of this flaw have been reported. However, criminal hackers are likely not far behind the researchers in working out a mode of attack, experts said.

"We did not see any public exploit for the vulnerability. However, security researchers and hackers are actively working on this issue," a representative of the French Security Incident Response Team, or FrSIRT, said in an e-mail interview. The FrSIRT tags the issue as "critical," its most serious rating.

Ferris agreed that miscreants are looking to write or even buy code that can use the vulnerability to attack people's machines. "I have been e-mailed a couple of times by people asking for an exploit," he said. "This tells me the Trojan writers are out there looking for something."

Name game
The problem in Firefox, Mozilla and Netscape has to do with the way the browsers handle International Domain Names. IDNs are domain names that use local language characters. Experts advise Firefox and Mozilla users to apply the temporary fix provided by the Mozilla Foundation, which disables the IDN feature.

"I would certainly recommend that users implement the vendor workarounds until a patch is made available," said Michael Sutton, director of security intelligence company iDefense Labs. "We feel that exploit code can and will be created."

The security vulnerability in question is a buffer overflow flaw. An attacker could host a Web site containing malicious code to exploit the vulnerability. Mozilla has posted an advisory on its Web site that includes the patch and instructions to manually disable IDN.

Mozilla has said that it is working to fix the actual vulnerability in an upcoming version of Firefox and that it will re-enable the IDN feature in that version. Switching off IDN support impacts Firefox and Mozilla customers who actually use such special domain names.

Firefox has risen in popularity in recent years as a viable alternative to Microsoft's Internet Explorer. Though its market share slipped slightly recently, researchers estimate that between 8 and 9 percent of the Internet population use the open-source Web browser.

Security has been a main selling point for Firefox over Internet Explorer. However, Firefox has had its own security woes. Numerous serious holes in the browser have been plugged since its official release, and experts have said that safe Web browsers don't exist.