Mozilla Fixes Critical Security Flaw With Firefox 3.6.2

Mozilla has fixed a critical bug in its Firefox browser ahead of schedule, after one European government warned its citizens to stop using the open source web browser.

The flaw, which was discovered by Intevydis founder Evgeny Legerov, had caused enough of a stir to prompt Germany’s BürgerCERT to advise users to ditch the browser until it was fixed.

According to Mozilla, the Web Open Font Format (WOFF) decoder contains an integer overflow in a font decompression routine. As a result, too small a memory buffer could be allocated to store a downloaded font, and an attacker could exploit the situation to crash a victim’s browser and execute arbitrary code on the system.

Only Firefox 3.6 was affected by the vulnerability.

“We urge users to promptly update to this release by selecting “Check for Updates…” from the “Help” menu, or by visiting https://www.mozilla.com/ for a free download,” according to Mozilla.

The fix is contained within Firefox 3.6.2, which was initially scheduled to be released on 30 March. After the German advisory however, Mozilla announced it was moving up the release date.

While security researchers are divided on the idea of switching browsers every time a vulnerability appears, it was not the first time a government had made the recommendation. Germany and France also advised users to ditch Internet Explorer until the vulnerability tied to the Aurora attack on Google was patched. That vulnerability was fixed in January.