The German government has advised users not to use Mozilla Firefox because of a critical security flaw.
After it advised users to switch to another browser in January while Microsoft prepared an out-of-band patch for the zero-day vulnerability that affected old versions of Internet Explorer, the German Bundesamt für Sicherheit in der Informationstechnik has recommended users stop using Firefox until Mozilla releases a fix.
The advice came from BürgerCERT, a section of the department, and said that due to the ‘unspecified vulnerability in Mozilla Firefox version 3.6', it was recommending use of another browser. It claimed that the vulnerability would allow a remote attacker to inject malicious code into a website.
Mozilla acknowledged the bug after it was contacted by Evgeny Legerov, who it said had sufficient details to reproduce and analyse the issue. It said: “The vulnerability was determined to be critical and could result in remote code execution by an attacker.
“The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix. Firefox 3.6.2 is scheduled to be released 30th March and will contain the fix for this issue. As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience.” It also clarified that the issue affects Firefox 3.6 only and not any earlier versions.
Sophos' senior technology consultant Graham Cluley said that while it is easier for computer-savvy home users to leapfrog from browser to browser than companies, switching your web browser as each new unpatched security hole is revealed could cause more problems than it is worth.
He said: “It is worth bearing in mind what are you going to do when your replacement browser itself turns out to contain a vulnerability? Are you going to switch yet again?
“My advice is to only switch from Firefox if you really know what you are doing with the browser you're swapping to. If you stick with Firefox, apply the security update as soon as it is available.”