Yesterday, Mozilla has finally released the long-waited Firefox update, Firefox Beta 1. The new version of this growing open-source browser offers faster browsing experience, more stability, support for the latest web technology (CSS3, JavaScript 1.6, etc), security enhancement, and many more. The 2nd Firefox beta version will hit public on 5 October 2005.

Couple hours after Mozilla released Firefox Beta 1, the first bug found. Tim Ferris, a security researcher, posted information about the security flaw on this browser, accompanied with proof-of-concept code, on his own website and Full Disclosure security mailing list.

Ferris said, “A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host.“.

Secunia, a Danish security vulnerability tracker, marked this bug as “Highly Critical”. They noted that the flaw also affects Mozilla 1.7x and Netscape 7.x and 8.x browsers.

The vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.

Mozilla has been notified about the flaw and currently working on it. On Friday afternoon, they released a small patch that disables support for international domain names, or IDNs (the buffer overflow at issue occurs in the code that normalizes IDNs). The detail about the patch is available here.