Mozilla postpones Firefox 2 fix

Mozilla will delay the next security update for Firefox so it can test a fix for a flaw that could be used by attackers by skirt security restrictions.

The flaw, disclosed by Polish researcher Michal Zalewski on the Full Disclosure security mailing list, could let a malicious site manipulate the authentication cookies for other sites' pages. It is present in the most recent version of the open-source browser, 2.0.0.1.

According to Zalewski, the bug might allow hackers to "tamper with the way these [third-party] sites are displayed or how they work."

Mozilla developers jumped on the bug and produced a fix by the next day. However, adding the patch to the Firefox 2.0.0.2 and 1.5.0.10 updates, which are still under development, will require more work. "We had to respin for [the patch] and now have Firefox 2.0.0.2 rc4 and 1.5.0.10 rc2 builds," wrote Firefox developer Jay Patel on the Mozilla.dev.planning forum. "We are [now] shooting for a target ship date of Thursday 2/22."

View: Full Article @ PC Advisor

Report a problem with article
Previous Story

Nvidia Forceware Vista 100.65 WHQL (Beta)

Next Story

AOL: Top 5 gadgets you shouldn't buy

5 Comments

Commenting is disabled on this article.

well atleast it's getting fixed properly ... cause i would rather wait a little longer for a quality patch then have em half a*s it and then release v2.0.0.3 a week or two later.

What amuses me is that if this were MS and IE, people would be flipping out saying how much more quickly Mozilla could get a patch out. I don't mind the wait (I use the trunk, anyway), but people tend to be accepting of things solely based on the company involved.

bangbang023 said,
What amuses me is that if this were MS and IE, people would be flipping out saying how much more quickly Mozilla could get a patch out.

Disingenuous. Mozilla are getting a patch out much more quickly than Microsoft would. Not only that, they're also being transparent about it by saying "we have a patch, but we need to fully test it and add it into the next update". Better that they put it in the next update rather than having to release again in a couple of days.

In any case 2/22 is today. The story was posted yesterday. Not quick enough for you?

^ Seriously. With Microsoft, you'll be waiting a month. I mean, don't get me wrong, I like getting free updates; I just don't like the fact that one of the windows in my house has to remain open for a month before someone gets up and closes it.