Firefox JavaScript Engine Flaw Flagged

A moderately critical security flaw in the Mozilla Foundations Firefox Web browser could put users at risk of information disclosure attacks, according to an advisory from security research outfit Secunia.

The vulnerability has been confirmed in Firefox 1.0.1 and 1.0.2, the two latest browser releases from the open-source foundation. It also affects the Mozilla suite, Secunia warned.

“The vulnerability is caused due to an error in the JavaScript engine, as a lambda replace exposes arbitrary amounts of heap memory after the end of a JavaScript string,” the advisory read.

Secunia has released an online test to allow Firefox and Mozilla users to determine if they are affected by the bug.

“Successful exploitation may disclose sensitive information in memory,” the company said.

As a temporary workaround, Secunia suggests that JavaScript support be disabled.

The discovery of the flaw comes just weeks after back-to-back browser upgrades from Mozilla to patch several potentially dangerous security holes.

In late February, the volunteer group rolled out a major security makeover to provide a temporary fix for the IDN (International Domain Name) issue and to correct two serious flaws that could allow malicious attackers to spoof the source displayed in the “Download Dialog” box or to spoof the content of Web sites.

/zimages/6/28571.gifRead more here about Firefoxs security makeover.

Two weeks later, Firefox 1.0.2 was shipped to correct a buffer overflow caused by the way GIF files are processed by the browser.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.