Couple hours after Mozilla released Firefox Beta 1, the first bug found. Tim Ferris, a security researcher, posted information about the security flaw on this browser, accompanied with proof-of-concept code, on his own website and Full Disclosure security mailing list.

Ferris said, “A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host.“.

Secunia, a Danish security vulnerability tracker, marked this bug as “Highly Critical”. They noted that the flaw also affects Mozilla 1.7x and Netscape 7.x and 8.x browsers.

The vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.

Mozilla has been notified about the flaw and currently working on it. On Friday afternoon, they released a small patch that disables support for international domain names, or IDNs (the buffer overflow at issue occurs in the code that normalizes IDNs). The detail about the patch is available here.

A vulnerability in WordPress’s handling of incoming cookie information allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On.

To protect your blog, you can choose between these 2 solution:

1. From Tamba2, edit .htaccess file that covered your blog and add the following line:
   php_flag register_globals off
2. From Kamigoroshi, if you’re too lazy to edit the file, just download the fix here, and upload it to your blog directory. It will replace wp-settings.php file.

That’s it, you’re now immune to the remote attack caused by this exploit. It’s easy and take less than 5 minutes, so you should do it a.s.a.p before it’s too late :d