Mozilla, which coordinates development of Firefox and distributes the software, could not immediately comment on the flaw disclosure. However, a source close to the organization confirmed that Ferris had filed several bug reports, including this specific one. Since the debut of Firefox 1.0 in November, usage of the open-source browser has grown. Security has been a main selling point for Firefox over Microsoft's Internet Explorer, which has begun to see its market share dip slightly--for the first time in years.
[Sigh]... The stance people are starting to take is "See, FireFox is insecure too!" You better believe Microsoft is going to pushing this idea. However, if you actually read the advisory, it becomes perfectly clear with 2 sentences why Firefox is and shall remains the superior browser: The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox ppends 0 to approxLen and then appends the long string of dashes to the buffer instead.
He discusses specific functions and variable names that are in the human readable format, because this vulnerability was found by examining source code. This is something you can never do with Microsoft code, and is why the Open Source Model can produce a more secure product then Closed Source. Unpatched Firefox flaw may expose users |