Critical Update
This morning, my copy of Firefox (1.0PR on OS X) was sporting a new icon. A small red icon with an arrow, next to the throbber.
After a moment, I recognized it as Firefox’s Update icon. This appears when updates to Firefox or your installed extensions become available. Clicking the icon, I learned that a Critical Update was available, and was warned “You should install these updates immediately to protect your computer from attack.” There was one update listed, “data:Downloading Fix from: ftp.mozilla.org”. Aside from being impressed that the browser was being proactive in warning me of a problem, I was intrigued: what exactly is the nature of the vulnerability, and what would the update do to correct it?
Unfortunately, I couldn’t determine this. The update dialog is application-modal, and the options options offered were “install now” and “cancel”. No additional information or links to same. Deciding to risk it all, I cancelled the dialog and went looking for answers. My first stop was the Firefox homepage. No information was there. I tried the support tab, which is actually the Mozilla.org master support page- with no luck. Undaunted, I tried the Firefox Support Forum link on that page, but the forum had no information either. My next stop was the Firefox Help site, which is familiar to anyone who’s been using the ‘Fox since before 0.9. Still no luck. After Google provided no answers, I tried the Mozilla.org homepage, and was rewarded for my perseverance. At the bottom of the page, in the Announcements category, was an entry date Oct 1, “Important Security Update for Firefox…“.
The Security Update Announcement offered an explanation, sort of, in a Question and Answer format:
How does this security vulnerability expose the user?
A malicious hacker who could trick a user into saving a file could delete files from a user’s download directory.
How serious is this vulnerability?
While this is a potentially severe security vulnerability, user interaction is required to trigger potential harm. This security update is also another example of the Mozilla Foundation identifying and fixing security vulnerabilities before they are exploited by malicious hackers. This type of security vulnerability is very different from cases where a hacker could take advantage of a vulnerability to obtain valuable information from a user’s computer.
Doesn’t this case illustrate that all browsers are equally insecure?
The Mozilla Foundation continues to have a very strong track record on security. According to Secunia, an independent security monitoring organization, Firefox currently has 1 open security issue, out of a total of 13 security advisories filed in 2003 and 2004. 0% of these are labeled “extremely critical”, 15% are labeled “highly critical”. For the same period, Secunia lists 16 open security issues out of 44 advisories for Internet Explorer 6.0, 14% of which are labeled “extremely critical”, 34% are “highly critical”.
So there’s some kind of file download exploit possible, but the details are omitted. I’m no security expert, but I though best practice was to release as much information as possible. I don’t mind that Firefox has a vulnerability; no software is perfect. I’m impressed by the level of response and the integrated update system. At the same time, I’d rather see more information about the problem and solution (or even a link to same) than statistics spin.
Also of note, there are two solutions to the problem: download the patch via the Update Icon, or download a new build (0.10.1). This highlights something else that’s been on my mind… The Firefox Homepage should really mention the version number next to the “Download Now” link. I can never tell when a new point release is out.
Concerns over communications aside, Firefox is still the best browser for my money (well, if it cost money), and far, far more secure than Internet Exploiter. I’m off to install the update.
UPDATE: Please read the followup to this post for more information.
You can leave a response, or trackback from your own site.