Security hole hits Firefox

Buffer overflow flaw affects all versions of the open source browser

Mozilla's Firefox browser is susceptible to a buffer overflow attack that is deemed 'highly critical', users have been warned.

The flaw was discovered by security expert Tom Ferris and affects all versions of the open source browser up to 1.0.6, as well as the beta for Firefox 1.5, he reported on his website. 

The vulnerability allows an attacker to remotely execute code on a compromised system through a buffer overflow attack.

Demonstrating the vulnerability, Ferris offers a link to a page where a specially crafted URL will cause the browser to freeze and eventually crash, closing all browser windows. Microsoft's Internet Explorer is unaffected by the flaw.

Ferris reported the issue to Mozilla on 4 September, but allegedly decided to go public after a disagreement with the organisation.

Mozilla has published a patch that protects the browser against sites seeking to exploit the flaw, and has posted instructions for a manual workaround.

Firefox uses its record on security as a principal selling point in enticing users to switch from Internet Explorer. But although Microsoft's browser has been hit with a series of vulnerabilities, Firefox has also had its share of problems recently.