Updated Friday, Sept. 9 with comments from Mozilla Engineering Director Mike Schroepfer.
A vulnerability researcher says attackers could exploit a critical new security hole in Firefox to cause a denial of service and launch sinister code. But users would have to be tricked into opening a malicious Web page or HTML file for the attack to succeed.
The researcher, Tom Ferris, said in an advisory on his Security Protocols Web site that a buffer overflow vulnerability exists in Firefox 1.0.6 and all prior versions. The French Security Incident Response Team (FrSIRT) reviewed Ferris' findings and agreed in an advisory that the flaw is critical. Danish security Firm Secunia also tested the vulnerability and rated it "highly critical" in its advisory.
"This flaw is due to a buffer overflow error in the 'NormalizeIDN' function when handling specially crafted URLs embedded in 'HREF' tags, which could be exploited by remote attackers to take complete control of an affected system via specially crafted Web pages," FrSIRT said.
Secunia said, "The vulnerability is caused due to an error in the handling of a URL that contains [a certain character] in its domain name. This can be exploited to cause a heap-based buffer overflow. Successful exploitation crashes Firefox and may potentially allow code execution." But, the firm said, an attacker cannot exploit the flaw successfully unless a user is tricked into visiting a malicious Web site or opening a specially crafted HTML file.
Secunia also confirmed the vulnerability in Mozilla Suite 1.7.11 and said other versions may also be affected.
Ferris, who also reported a security hole in Internet Explorer last week, said he has reported the flaw to Mozilla. "I'm guessing they are working on a patch," he said in his advisory. "Who knows, though?"
Mike Schroepfer, Mozilla's director of engineering, said his team has been looking into Ferris' findings since Tuesday and has so far been able to reproduce a systems crash and an overflow. Now they're looking to see if the problem could be exploited in an attack.
"The good news is that we haven't seen any exploits for this," he said. "We are working on a solution, and for now we recommend users stay away from Web sites they don't know and trust."
Many users consider Firefox a more secure alternative to the much-attacked Internet Explorer. But Mozilla has had to contend with a number of security holes since taking Firefox out of beta late last year. Security experts have warned that malware writers could start targeting Firefox more often as it grows in popularity.
Schroepfer said there are several reasons why Firefox will always be more secure than Internet Explorer. "We have an open development process with thousands of people around the world looking at the source code and identifying any problems they may come across," he said. "And since we don't use ActiveX a range of potential flaws are eliminated."
He said Firefox 1.5, which was released in beta Thursday night, will be even more secure, with an automatic update service that will download patches as needed.
"Users will be notified when a download is happening, then the download will happen in the background," he said.
This article originally appeared on SearchSecurity.com