The Mozilla Foundation has released a Firefox update to patch a spoofing vulnerability and to fix a problem that caused Firefox 1.0 to crash.
Since its November 2004 release, the first full version of Firefox (1.0) has seen more than 25 million downloads in 100 days. But vulnerabilities have also cropped up in those 100 days, the most serious of which didn't affect Internet Explorer. The vulnerabilities include one that can cause the browser to crash and another that allows URL address spoofing and could enable successful phishing attacks.
However, the cumulative threat from all of the vulnerabilities is actually rather weak. So far, I haven't seen any reports of exploits. But the update itself doesn't appear to cause any serious problems either, so most users will probably want to make the upgrade.
The main purpose for the update is to provide additional defence against URL spoofing and phishing attacks. The phishing problem involves the Internationalized Domain Name (IDN) homograph spoofing bug.
Firefox users that have switched on the automatic update feature may already have this upgrade. Users who don't take advantage of this feature should know about a few potential problems with this upgrade -- particularly since the cumulative threats are rather mild.
To prevent the automatic update until you've evaluated the new release, go to Tools | Options | Advanced Options | Software Update, and deselect the check box if you don't want your version of Firefox updated automatically. While Firefox 1.0's Help reports that this feature is on by default, it wasn't set as the default when I installed 1.0.
In its weekly security bulletin, SANS reported two minor problems with the update, one of which involves the resetting of the home page. The second problem was one I had already experienced with Firefox 1.0, so I'm not positive it's really a new problem. In fact, it isn't really a problem at all; it's just the way the program seems to work and involves how browser windows open from within Microsoft Word.
One major bug with the update process causes Windows and Linux versions to crash when users type in the address bar. This occurs if you copied the new version to the same directory where you installed a previous zipped version . As recommended by Mozilla, you can avoid this bug by changing the directory where you install the new version.
Mozilla includes information on its Web site about fixing the problem after it occurs. It details the fix under the Important Note section near the top of its Release Notes Web page. Basically, you must wipe out the new installation and start over.
Continued ...
14%
7%
