Just when Windows users thought it was safe to move away from Internet Explorer and its litany of security issues, a flaw has been detected in Mozilla, the open-source alternative to Microsoft's widely used browser.
The Mozilla Foundation has announced a "shell" protocol security vulnerability, affecting its browsers running on the Windows operating system.
The Mozilla security team reported that the flaw impacts the company's Mozilla application suite, and Firefox and Thunderbird products. The problem does not affect Linux or Macintosh users.
Phishing Hole
By exploiting the Mozilla flaw, an attacker can click on a URL displayed on the browser, open a new frame and run unathorized applications on that frame, Vincent Weafer, senior director for Symantec security response, told NewsFactor.
"It's the type of client-side vulnerability found on other browsers, including Internet Explorer, that is used with spyware phishing attacks," he said. Weafer recommends disabling the shell, in addition to applying the appropriate patch or patches, so that attackers cannot gain local access to the affected PC. Users should also make sure that security features on their browsers and applications are activated.
"People are increasingly nervous about IE and phishing attacks, but this shows that other browsers are vulnerable as well," said Weafer.
Vulnerability Epidemic
Mozilla has released a configuration change which resolves this problem by disabling the use of the shell. A patch is available as a download that makes this configuration adjustment for the user, or users can install the latest releases of Mozilla, Firefox or Thunderbird.
Future versions of Mozilla Firefox will include automatic update notifications, the foundation said, providing users with prompt information on security issues.
The announcement follows a succession of alerts on vulnerabilities recently detected in the Explorer browser. Microsoft's problems have gotten so bad that the U.S. Computer Emergency Response Team (CERT) has recommended that users seriously
Written by: Jay Wrolstad, www.enterprise-security-today.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment