Mozilla临时补救Firefox漏洞

关键字:Mozilla Firefox Critical Vulnerability 漏洞

之前本站报道:Firefox新漏洞危及用户安全

  当公众发觉Firefox的一个安全漏洞后,Mozilla发布了一个临时补丁,并且给Firefox的各个版本都出了详细的工作区说明书。

  这个开源软件的漏洞使它可能受到缓冲溢出的攻击,发现这个漏洞的安全专家Tom Ferris说,这个漏洞是十分危险的。

  Ferris在九月四号向Mozilla报告了这一漏洞,按照他的说法,因为和公司起了一些争执,使他决定把这个漏洞的具体消息公布在自己的个人网站上。

  Ferris说利用这些漏洞,那些恶意攻击者或者仅需适当的攻击技能的人都可以强制系统重启。

漏洞公开

  问题的根源在于Firefox处理国际域名的方法,它采用的全部都是非欧字符。如果没有这个补丁或者工作区说明,这个浏览器可能经常崩溃,关闭所有的浏览器窗口。

  Forrester研究所的分析家Michael Goulde说,在事情公开四天后,Mozilla发布了补丁。这个时间正好让Mozilla重新评估这个漏洞的严重性,他说:“对于浏览器的这些改动是有个轻重缓急的。”

  Firefox的支持者指出,对于市面上的另一个浏览器——微软捆绑的Internet Explorer,也出现过数之不尽的漏洞。他们说,这些分析家的评估,不会吓跑八千六百万Firefox用户中的任何一个。

不同的浏览器经历的同样问题

  Goulde认为虽然Firefox的开发者需要经历一些挫折,但这个漏洞来临的还是太早了点,他说:“缓存溢出是一个软件安全问题中一个很普遍的漏洞,虽然这不是一件好事,但不论开源还是非开源软件,都存在这个问题。”

  Goulde还指出这个漏洞的严重性有限,“使一个浏览器崩溃并不能算上一个很严重的漏洞,任何浏览器任何时候都有可能出现这个问题。

原文:
Mozilla Issues Workaround for ‘Critical’ Firefox Vulnerability
Walaika K. Haskins, newsfactor.com Wed Sep 14, 2:03 PM ET

Following the public disclosure of a Firefox security flaw, the Mozilla Foundation has issued a temporary patch and workaround instructions for all versions of the Internet browser.

The flaw reportedly leaves the open-source browser vulnerable to buffer-overflow attacks. According to security expert Tom Ferris, who discovered the vulnerability, the flaw is highly critical.

Ferris first reported the flaw to Mozilla on Sept. 4. Allegedly, a run-in with the company prompted him to publish information regarding the vulnerability on his Web site.

Ferris reported that those with malicious intent and the appropriate hacking skills could force a system to reboot by exploiting the flaw.

Flaw Publicity

The way Firefox handles international domain names — those containing non-Western characters — is the apparent root of the problem. Without the patch or workaround, the browser will freeze and eventually crash, shutting down all open browser windows.

The four-day lag between the disclosure and the release of the patch was likely a result of the time it took Mozilla to assess the severity of the vulnerability, said Forrester Research analyst Michael Goulde. “There is a certain amount of triage that has to happen on [browsers],” he said.

Proponents of the alternative browser point to the numerous security flaws that have plagued Microsoft’s (Nasdaq: MSFT – news) Internet Explorer browser. According to the analyst, the vulnerability should not scare away any of the 86 million users who have downloaded Firefox already.

Same Story, Different Browser

Gould believes that even with the newfound flaw, it is a little early to give Firefox developers a failing grade. “Buffer overflow is one of the most common flaws that produce security vulnerabilities in software,” Goulde said. “It’s not a good thing, but it isn’t unique either to closed- or open-source software.”

In defense of Firefox security, Goulde also pointed to the limited real-world consequences of the flaw. “Causing a browser to crash isn’t generally considered a critical flaw. It happens all the time with different browsers,” he said.

发表评论