Mozilla.org has announced an updated version of its Firefox 1.0 Preview Release. Internally known as version 0.10.1, this Firefox release addresses a security issue that could allow a site to delete files from the download directory if properly exploited. Information from the press release:
How can I verify that I have installed the patch and that I am running the most recent version of the Firefox Preview release?
Click on the Help menu and select About Mozilla Firefox. Examine the User Agent information on that page that is displayed, eg
Mozilla/5.0 (OS Information; Lang. Information; rv:1.7.3) Gecko/20040923 Firefox/0.10.1.If you observe that have 0.10.1 installed, you have the patch and are running the most recent version.
How does this security vulnerability expose the user?
A malicious hacker who could trick a user into saving a file could delete files from a useris download directory.
How serious is this vulnerability?
While this is a potentially severe security vulnerability, user interaction is required to trigger potential harm. This security update is also another example of the Mozilla Foundation identifying and fixing security vulnerabilities before they are exploited by malicious hackers. This type of security vulnerability is very different from cases where a hacker could take advantage of a vulnerability to obtain valuable information from a useris computer.
Doesnit this case illustrate that all browsers are equally insecure?
The Mozilla Foundation continues to have a very strong track record on security. According to Secunia, an independent security monitoring organization, Firefox currently has 1 open security issue, out of a total of 13 security advisories filed in 2003 and 2004. 0% of these are labeled "extremely critical", 15% are labeled "highly critical". For the same period, Secunia lists 16 open security issues out of 44 advisories for Internet Explorer 6.0, 14% of which are labeled "extremely critical", 34% are "highly critical".
The updated 1.0 Preview Release is available at the Firefox Website. Presently, this security issue is only known to affect Firefox, but not other Mozilla.org products.