Mozilla has released Firefox 3.6.2 almost a week ahead of schedule, after security issues were found in earlier versions. Firefox 3.6.2 was scheduled to launch at 30 of March, but is now available for download. The latest Firefox version fixes a vulnerability that could allow remote code execution attacks. Firefox is the second most popular browser in the web and its usage is between 20% and 32%.
The security hole had led the German government to issue a warning about Firefox 3.6.It warned that the Firefox vulnerability, confirmed by Firefox makers, could allow hackers to run malicious programs on users’ computers.Germany’s official cyber-security response team – BurgerCERT – had recommended that users stop using Firefox until the tested fix was released.
The original Firefox vulnerability was confirmed by maker Mozilla last week on its security blog.It was only the 3.6 version that was affected due to the addition of WOFF fonts.
An integer overflow bug exists in the processing of the newly added in 3.6 version WOFF fonts. This can be exploited to cause a heap-based buffer overflow and execute arbitrary code via a web page embedding a WOFF font with an overly large “origLen” field.
The vulnerability lies within the WOFF decoder that contains an integer overflow in a font decompression routine. An attacker could use this vulnerability to crash a victim’s browser and execute arbitrary code on his/her system.
References : http://blogs.zdnet.com
