Firefox 3.6.2 Plugs Critical Security Hole
Mozilla has swatted a critical bug in its Firefox browser ahead of schedule.
The flaw, which was discovered by Intevydis founder Evgeny Legerov, had caused enough of a stir to prompt Germany's B??rgerCERT to advise users to ditch the browser until it was fixed.
According to Mozilla, the Web Open Font Format (WOFF) decoder contains an integer overflow in a font decompression routine. As a result, too small a memory buffer could be allocated to store a downloaded font, and an attacker could exploit the situation to crash a victim's browser and execute arbitrary code on the system.
Only Firefox 3.6 was affected by the vulnerability.
"We urge users to promptly update to this release by selecting "Check for Updates..." from the "Help" menu, or by visiting https://www.mozilla.com/ for a free download," according to Mozilla.
The fix is contained within Firefox 3.6.2, which was initially scheduled to be released March 30. After the German advisory however, Mozilla announced it was moving up the release date. While security researchers are divided on the idea of switching browsers every time a vulnerability appears, it was not the first time a government had made the recommendation. Germany and France also advised users to ditch Internet Explorer until the vulnerability tied to the Aurora attack on Google was patched. That vulnerability was fixed in January.