Security bug found in latest Firefox version

An unpatched vulnerability in version 3.5 of Firefox, just released last month, could enable a hacker to remotely run arbitrary code on users' machines, security firm Secunia said Tuesday in an advisory.

The vulnerability arises when the browser processes JavaScript code to handle HTML font tags, the advisory said. An exploit can cause a memory corruption buffer overflow, which could lead to a compromise on an affected system.

“If your browser (Internet Explorer, Firefox, etc.) or its plug-ins (Adobe Flash Player, QuickTime, Sun Java, etc.) contain vulnerabilities, then you're exposed to security threats every single time you visit a website,” Secunia spokesman Mikkel Winther told SCMagazineUS.com in an email Tuesday.

No patch is available yet from Mozilla, though exploit code has been posted on exploit repository milw0rm, which has reopened after temporarily shutting down.

Until a patch from Mozilla is available -- a fix may come later this month) -- US-CERT has encouraged users and administrators to disable JavaScript to mitigate any risks associated with the vulnerability. On its site, US-CERT describes a method to turn JavaScript off.

If that is untenable, Secunia said the best way to avoid being infected is to practice safe web surfing.

“We can only recommend that users refrain from visiting untrusted websites,” Winther said.

prestitial ad