Friday, April 23, 2010

Mozilla to Addresses Security Hole in 3.6: Firefox 3.6.2 Released Ahead of Schedule

Last Monday, Mozilla released Firefox 3.6.2 to address critical security hole involving Web-based font technology.

In a blog post by Mozilla developer News they announced the release of the said browser ahead of schedule and are presently available for download for Windows, Mac and Linux. They also expressed their strong recommendation for the upgrade.

The said security hole was reported by Evgeny Legerov of Intevydis. In his report he said that the WOFF decoder contained an integer overflow in a font decompression routine. This could lead to a small memory buffer being allocated to store downloadable font. With this it could lead an attacker to crash it's victim's browser and worse allows him to run arbitrary code in the machine as well.

For those who are using earlier versions of Firefox, there's no need to worry of this problem since WOFF is introduced in the 3.6 version thus not affecting them.

WOFF or Web Open Font Format is a format developed during 2009. It is a wrapper that contains sfnt-based fronts (True Type, Open type or Open font Format) that are compressed using a WOFF encoding tool that enables them to be embedded in a web page.