Mozilla Plugs Firefox 1.5 Security Gaps

Firefox 1.5 gets its first security patch to fix a denial-of-service bug and several unknown vulnerabilities.

The Mozilla Foundation has shipped the first patch for its flagship Firefox 1.5 browser to plug a series of security vulnerabilities and memory leaks.

The open-source group has started pushing out Firefox as an automatic update and recommended that all users apply the upgrade to protect against a known denial-of-service bug and several undisclosed security issues.

/zimages/2/28571.gifClick here to read eWEEK Labs review of Firefox 1.5.

"We recommend that all users upgrade to this latest version," Mozilla said in a note posted online. In addition to security patches and fixes for memory leak issues, Firefox also promises improved stability and improved support for Mac OS X.

The Foundation did not release details on most of the security flaws being fixed. The published list of patched Firefox vulnerabilities has not been updated to reflect the new browser release.

Over at Burning Edge, a list of notable bug fixes has been documented, but although mention is made of several "security holes," details remain scarce.

eWEEK has confirmed that a denial-of-service flaw believed to be serious enough to cause code execution attacks has been fixed. An exploit for that vulnerability was released in December, but Mozilla downplayed the threat, insisting it was more of an "annoyance" than a serious security flaw.

The exploit was confirmed on Firefox 1.5 on Windows XP SP2 (Service Pack 2) and is caused by an error in the way the open-source browser handles large history information. A successful attacker can fill the browsers "history.dat" file with large history information by tricking a user into visiting a malicious Web site with an overly large title.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.