Germany Warns Web Users To Stop Using Firefox

The German government has warned its citizens not to use Mozilla’s Firefox browser until a security vulnerability is fixed.

The advisory was issued 19 March by BürgerCERT, Germany’s Computer Emergency Readiness Team in response to a vulnerability reported by Russian security researcher Evgeny Legerov. Legerov, who is the founder of the Moscow-based security firm Intevydis, discovered the bug last month and added it as a module to Vulndisco, an add-on to the Immunity Canvas exploit system used by security pros for penetration testing.

Legerov’s exploit can be used to trigger a heap corruption vulnerability and can potentially allow an attacker to execute arbitrary code. The attack works against Mozilla Firefox 3.6, the most current version of the browser, but does not affect earlier versions, according to Mozilla.

Earlier this year, Germany and France urged users to ditch Microsoft Internet Explorer (IE) as a result of the Aurora attack on Google, Adobe and other corporations. In that case, the attackers exploited a security vulnerability in IE that Microsoft began investigating in September but had failed to patch. The company fixed the flaw in January.

“Switching your web browser willy-nilly as each new unpatched security hole is revealed could cause more problems than it’s worth,” blogged Sophos Senior Technology Consultant Graham Cluley. “For instance, imagine how much training some users will require to switch from one browser to another. And it’s worth bearing in mind – what are you going to do when your replacement browser itself turns out to contain a vulnerability? Are you going to switch yet again?”

Mozilla did not respond immediately to a request for comment on the German government’s advisory. But the company has said the vulnerability will be fixed in Firefox 3.6.2, which is scheduled to be released on 30 March. The release candidate for the browser already contains the fix, and can be downloaded here.

Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected, according to Mozilla.