Germany Tells Firefox 3.6 Users to Switch Browsers

The German government advised Firefox users to switch browsers until Mozilla patches a security flaw in the browser.

The German government has advised users to ditch Mozilla's Firefox browser until a security vulnerability is fixed.

The advisory was issued March 19 by B??rgerCERT , Germany 's Computer Emergency Readiness Team, in response to a vulnerability reported by Russian security researcher Evgeny Legerov. Legerov, who is the founder of the Moscow-based security firm Intevydis, discovered the bug last month and added it as a module to Vulndisco, an add-on to the Immunity Canvas exploit system used by security pros for pen testing.

Legerov's exploit can be used to trigger a heap corruption vulnerability and can potentially allow an attacker to execute arbitrary code. The attack works against Mozilla Firefox 3.6, the most current version of the browser, but does not affect earlier versions, according to Mozilla.

Earlier this year, France and Germany urged users to ditch Microsoft Internet Explorer as a result of the Aurora attack on Google, Adobe and other corporations. In that case, the attackers exploited a security vulnerability in IE that Microsoft began investigating in September but had failed to patch. The company fixed the flaw in January.

"Switching your Web browser willy-nilly as each new unpatched security hole is revealed could cause more problems than it's worth," blogged Sophos Senior Technology Consultant Graham Cluley. "For instance, imagine how much training some users will require to switch from one browser to another. And it's worth bearing in mind - what are you going to do when your replacement browser itself turns out to contain a vulnerability? Are you going to switch yet again?"
Mozilla told eWEEK that it is aware of the German government's advisory and is accelerating the release of Firefox 3.6.2, which will contain the fix. Originally, version 3.6.2 was slated to be released March 30. The release candidate for the browser already contains the fix and can be downloaded here.

Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected, according to Mozilla.

*This story was updated to add a comment from Mozilla.