关键字:Mozilla Firefox Critical Vulnerability 漏洞



  这个开源软件的漏洞使它可能受到缓冲溢出的攻击,发现这个漏洞的安全专家Tom Ferris说,这个漏洞是十分危险的。





  Forrester研究所的分析家Michael Goulde说,在事情公开四天后,Mozilla发布了补丁。这个时间正好让Mozilla重新评估这个漏洞的严重性,他说:“对于浏览器的这些改动是有个轻重缓急的。”

  Firefox的支持者指出,对于市面上的另一个浏览器——微软捆绑的Internet Explorer,也出现过数之不尽的漏洞。他们说,这些分析家的评估,不会吓跑八千六百万Firefox用户中的任何一个。




Mozilla Issues Workaround for ‘Critical’ Firefox Vulnerability
Walaika K. Haskins, Wed Sep 14, 2:03 PM ET

Following the public disclosure of a Firefox security flaw, the Mozilla Foundation has issued a temporary patch and workaround instructions for all versions of the Internet browser.

The flaw reportedly leaves the open-source browser vulnerable to buffer-overflow attacks. According to security expert Tom Ferris, who discovered the vulnerability, the flaw is highly critical.

Ferris first reported the flaw to Mozilla on Sept. 4. Allegedly, a run-in with the company prompted him to publish information regarding the vulnerability on his Web site.

Ferris reported that those with malicious intent and the appropriate hacking skills could force a system to reboot by exploiting the flaw.

Flaw Publicity

The way Firefox handles international domain names — those containing non-Western characters — is the apparent root of the problem. Without the patch or workaround, the browser will freeze and eventually crash, shutting down all open browser windows.

The four-day lag between the disclosure and the release of the patch was likely a result of the time it took Mozilla to assess the severity of the vulnerability, said Forrester Research analyst Michael Goulde. “There is a certain amount of triage that has to happen on [browsers],” he said.

Proponents of the alternative browser point to the numerous security flaws that have plagued Microsoft’s (Nasdaq: MSFT – news) Internet Explorer browser. According to the analyst, the vulnerability should not scare away any of the 86 million users who have downloaded Firefox already.

Same Story, Different Browser

Gould believes that even with the newfound flaw, it is a little early to give Firefox developers a failing grade. “Buffer overflow is one of the most common flaws that produce security vulnerabilities in software,” Goulde said. “It’s not a good thing, but it isn’t unique either to closed- or open-source software.”

In defense of Firefox security, Goulde also pointed to the limited real-world consequences of the flaw. “Causing a browser to crash isn’t generally considered a critical flaw. It happens all the time with different browsers,” he said.