The recent news of a vulnerability in Firefox 1.5 was blown out of proportion, while the news of more damaging Internet Explorer vulnerabilities slipped by with no more than a “business as usual” attitude.
According to Unpatched Firefox 1.5 exploit made public by Dawn Kawamoto of CNET News.com, exploit code for the latest version of Firefox could put users at risk of a denial-of-service attack — Windows users, that is. The exploit code takes advantage of a bug in the recently released Firefox 1.5, running on Windows XP with Service Pack 2. However, if you dig deeper, you find that the security bug can cause the browser to freeze up under certain conditions, but all indications are that it fails to expose systems to more invasive hacker attacks. Mozilla.org posted a response:
We have investigated this issue and can find no basis for claims that variants of this denial-of-service attack can cause an exploitable crash, and no evidence for this claim has been offered. There does not appear to be any risk to users or their computers beyond the temporary unresponsiveness at startup.
Meanwhile, Microsoft issued fixes on Patch Tuesday (Dec. 13) for Internet Explorer that were deemed “critical” — fixing at least four security vulnerabilities including two flaws that could enable hostile attacks. The patches also deal with Sony BMG’s counterproductive uninstaller of the ill-fated rootkit for digital rights management (DRM) with its music CDs — in a twist, making it impossible for you to run the First4Internet XCP uninstallation ActiveX control, a piece of code designed to remove the DRM software but which was found to create worse security problems than it attempted to solve.
As for the IE vulnerabilities, according to Patches out for IE holes, Sony-related issue by Joris Evers of CNET News.com:
“An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system,” Microsoft warned in its security bulletin, referring to the two critical IE flaws. The vulnerabilities exist in all currently supported versions of the browser on all editions of Windows.
Don’t be fooled by overblown press reports. The flaw in the Windows version of Firefox is nowhere near as bad as the ongoing vulnerabilities of Internet Explorer.