Firefox is becoming a more important target

By Ryan Russell I have long held the position that the most popular program is the biggest target for viruses, malware, and browser exploits. Currently, Internet Explorer suffers from the largest number of browser exploits, but with some estimates putting Firefox’s market share at over 25%, this situation could change.

The main bug of interest in the recent Firefox 2.0.0.4 update is MFSA2007-12. Mozilla reports that there’s a memory corruption bug that it assumes is exploitable. If JavaScript is enabled on Thunderbird (it is off by default, and you should leave it off), it could be exploitable there, too. The advisory indicates that the problem is fixed in Thunderbird 2.0.0.4, but that update doesn’t appear to be out yet. I’m not sure why there has been a delay, but keep an eye out for the update.

With the accounting taken care of, let me get back to the safety issue.

New Firefox exploits uncovered

The number of Firefox exploits continues to increase. Some of them go out of date as patches are released and people update, but there’s always one sticking around. I mentioned in my May 11 column that at least one of the drive-by exploit "packages" now includes a Firefox exploit. This indicates a certain level of interest among professional hackers in Firefox users.

In the Apr. 26 issue, I wrote about the "PWN to OWN" Macintosh-hacking contest at the last CanSecWest conference, in which contestants tried to remotely attack a pair of Macintosh notebooks. If the attackers successfully hacked their way in, they got to keep the laptops. Vulnerability buyer TippingPoint sweetened the pot by adding a US$10,000 cash prize, if the winner agreed to sell any working exploits to the company. The winners, as described in an SC Magazine article, were security researchers Dino Dai Zovi and Shane Macaulay.

Related posts:

1. Firefox updated to v2.0.0.1
2. Some excellent reasons to update Firefox
3. New version of Firefox available
4. Firefox v1.5.04 released
5. Firefox updated to v2.0.0.3