Mozilla will delay the next security update for Firefox so it can test a fix for a flaw that could be used by attackers by skirt security restrictions.
The flaw, disclosed by Polish researcher Michal Zalewski on the Full Disclosure security mailing list, could let a malicious site manipulate the authentication cookies for other sites' pages. It is present in the most recent version of the open-source browser, 2.0.0.1.
According to Zalewski, the bug might allow hackers to "tamper with the way these [third-party] sites are displayed or how they work."
Mozilla developers jumped on the bug and produced a fix by the next day. However, adding the patch to the Firefox 2.0.0.2 and 1.5.0.10 updates, which are still under development, will require more work. "We had to respin for [the patch] and now have Firefox 2.0.0.2 rc4 and 1.5.0.10 rc2 builds," wrote Firefox developer Jay Patel on the Mozilla.dev.planning forum. "We are [now] shooting for a target ship date of Thursday 2/22."
View: Full Article @ PC Advisor
The flaw, disclosed by Polish researcher Michal Zalewski on the Full Disclosure security mailing list, could let a malicious site manipulate the authentication cookies for other sites' pages. It is present in the most recent version of the open-source browser, 2.0.0.1.
According to Zalewski, the bug might allow hackers to "tamper with the way these [third-party] sites are displayed or how they work."
Mozilla developers jumped on the bug and produced a fix by the next day. However, adding the patch to the Firefox 2.0.0.2 and 1.5.0.10 updates, which are still under development, will require more work. "We had to respin for [the patch] and now have Firefox 2.0.0.2 rc4 and 1.5.0.10 rc2 builds," wrote Firefox developer Jay Patel on the Mozilla.dev.planning forum. "We are [now] shooting for a target ship date of Thursday 2/22."
View: Full Article @ PC Advisor
Changelog: http://forums.mozillazine.org/viewtopic.php?t=518120
Disingenuous. Mozilla are getting a patch out much more quickly than Microsoft would. Not only that, they're also being transparent about it by saying "we have a patch, but we need to fully test it and add it into the next update". Better that they put it in the next update rather than having to release again in a couple of days.
In any case 2/22 is today. The story was posted yesterday. Not quick enough for you?
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.