Mozilla will delay the next security update for Firefox so it can test a fix for a flaw that could be used by attackers by skirt security restrictions.
The flaw, disclosed by Polish researcher Michal Zalewski on the Full Disclosure security mailing list, could let a malicious site manipulate the authentication cookies for other sites' pages. It is present in the most recent version of the open-source browser, 2.0.0.1.
According to Zalewski, the bug might allow hackers to "tamper with the way these [third-party] sites are displayed or how they work."
Mozilla developers jumped on the bug and produced a fix by the next day. However, adding the patch to the Firefox 2.0.0.2 and 1.5.0.10 updates, which are still under development, will require more work. "We had to respin for [the patch] and now have Firefox 2.0.0.2 rc4 and 1.5.0.10 rc2 builds," wrote Firefox developer Jay Patel on the Mozilla.dev.planning forum. "We are [now] shooting for a target ship date of Thursday 2/22."
View: Full Article @ PC Advisor
5 Comments - Add comment