Firefox Plugs GIF Security Hole

The Mozilla Foundation patches its upstart Web browser to correct a GIF-processing flaw that causes a buffer overflow.

The Mozilla Foundation on Wednesday shipped a new version of its flagship Firefox Web browser to patch a serious security hole that could put users at risk of computer takeover.

The flaw, which was discovered and reported by Internet Security Systems Inc., causes a buffer overflow because of the way GIF files are processed by Firefox.

Developed by CompuServe in the 1980s, the GIF format is widely used on the Web because of the improved file-compression features it offers.

"There have been no known exploits of the bug, but as Mozilla is committed to delivering the most secure product possible, we decided to quickly issue an update to patch the bug," said Chris Hoffman, director of engineering at Mozilla.

The Foundation did not offer any details on the vulnerability.

The release of Firefox 1.0.2 comes just one month after Mozilla shipped a major security overhaul for Firefox and underscores the challenges faced by the nonprofit foundation as it attempts to market a legitimate rival to Microsoft Corp.s dominant Internet Explorer browser.

However, Hoffman argued that the open-source nature of the software gives it a leg up in the area of security. "One of best parts of open-source software is that the code is available for anyone to review. Mozillas open-source software is inherently safer and more secure than traditional commercial code because it is scoured by thousands of contributors, developers and professionals, not just the companys development team," he said.

/zimages/5/28571.gifClick here to read about Mozillas decision to end development of its namesake suite in favor of Firefox and Thunderbird.

Despite the back-to-back Firefox patches, Hoffman argued that users should feel more secure knowing that Mozilla "is continually releasing proactive updates to the browser."

"In this case, the Foundation fixed the bug before any known exploits. Bugs and patches are part of the process for developing and distributing software, and consumers can rest assured that we are committed to a safe and secure browsing experience," he said.

Hoffman said the Foundation would continue to release security updates as they are warranted, and not on a fixed schedule. "Because of our strong community of developers, were able to turn around patches much faster than a traditional corporation."

In a not-so-subtle tweak at Microsoft, Hoffman said the recent growth of Firefox was not related to the back-to-back security patches. "It is not relational at all. Not being in the operating system and not supporting Microsofts proprietary Active X are phenomenal advantages for us," he said.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.