The latest security holes found in the popular alternative Web browser Firefox raises yet more questions about its vulnerability. Security experts warned of nine security holes and posted an example of dangerous exploit code affecting the browser.
FrSIRT (French Security Incident Response Team) issued an advisory Thursday for users of the Mozilla Foundations Firefox browser and Mozilla, just days after the Mozilla Foundation issued the latest in a series of patches for Firefox that plugged the holes.
Internet Explorer controlled more than 95 percent of the Web browser market at one point, but has steadily lost ground to Firefox in recent months to take advantage of innovative features such as tabbed Web browsing, and because it was believed to be more secure than Internet Explorer. Firefox Version 1.0 was released in November, 2004, and has been downloaded more than 90 million times, according to the Mozilla Foundation.
The browser owned seven percent of the Web browser market in May, according to WebSideStory Inc. of San Diego, Calif., which makes marketing applications. The Mozilla Foundation has issued a number of fixes for its products in recent months, including security updates in October, February, March, two in May, July, and September.
Last week, Symantec Corp. said in its semi-annual Internet Threat Report that the 18 high-severity vulnerabilities reported for the Mozilla browsers in the first half of 2005 was a worse showing than that of Internet Explorer, for which eight high severity holes were found during the same period.
However, the increase in holes and the availability of exploit code havent yet turned into widespread attacks on Firefox browsers, said Johannes Ullrich , chief technology officer of The SANS Institutes ISC (Internet Storm Center).
ISC has not seen evidence of Web based attacks targeting Firefox, though it has collected anecdotal evidence of such attacks, such as Mozilla browsers crashing or acting funny when they visit a Web page, Ullrich said.
Still, the lions share of the attacks on the Web target Internet Explorer, often by targeting vulnerabilities, like a flaw in the way IE handles the IFRAME HTML tag, which Microsoft has patched, he said.
However, the Mozilla exploit code released this week is powerful enough that attackers could soon begin programming Firefox and Mozilla browser attacks to run alongside IE attacks, Ullrich said.
“The exploit provides full, user mode access to vulnerable systems,” he said. Attackers use such attacks to take control of vulnerable systems and plant keyloggers, backdoor “Trojan horse” programs, or remote control “bot” programs, he said. Firefox users are advised to download and install the latest patches: Version 1.0.7, or 1.7.12 of the Mozilla Suite, from the Mozilla foundation Web site.