Saturday, September 27, 2008

Mozilla Rushes to Fix Firefox Non-Security Password Bug

Via ComputerWorld -

Just a day after it released Firefox 3.0.2 to fix 11 vulnerabilities, Mozilla Corp. said that an overlooked password bug requires a fast-track update it hopes to launch next week.

Late Wednesday, Mike Beltzner, Mozilla's director of Firefox, said that the bug, which prevents some users from accessing their browser-saved passwords, means another update is necessary. "While this doesn't affect all Firefox users, it is a significant regression and has triggered a fast-release Firefox 3.0.3 which will contain a single fix," Beltzner said in a message to the group.

The bug popped up in Firefox 3.0.2, which Mozilla released Tuesday, after developers added a fix to make the browser's password manager work on international domain name (IDN) sites. IDN sites are those that have non-ASCII characters in their URLs, such as addresses with Arabic, Hebrew or Chinese characters, or ones with non-English diacritical marks.

According to Beltzner, users who have saved passwords on IDN sites or some non-English domains will be unable to access those passwords or save any new passwords after updating to Firefox 3.0.2.

"There is no permanent data loss, the saved data is just inaccessible," Beltzner noted.

Regression bugs aren't unknown to Mozilla or Firefox. Last November, the company rushed a release out the door to fix five bugs it had introduced in the previous version of the browser, which had been posted for download about a week before.

A fix for the password regression bug has been crafted and is being tested, Beltzner added.


Ohh well, mistakes happen.

At least it wasn't a missing fix for a critical remote code execution vulnerability.

People really shouldn't be storing their passwords in the browser anyways ;)

UPDATE - 9/27/08 3:07pm CST - Firefox 3.0.3 has been released. Check the release notes for the details.

No comments:

Post a Comment