Firefox IDN buffer overflow
I am a strong supporter of IDN (Internationalized Domain Names), for a fairly obvious reason. Support for IDN has been shaky, however, as Microsoft has failed to support it promptly. Just goes to show that Microsoft still doesn’t handle internationalization properly.
A recently discovered IDN vulnerability in Firefox prompted the developers to temporarily disable IDN support in Firefox. This is yet another delay in the deployment of IDN, and it seems that we will have to wait for a fix until the next Firefox release.
I think that the Firefox developers made a mistake here. They should fix their bug and distribute a fixed version, not just suggest that people disable a feature. Most users would upgrade to a next point release, but I fear that many will not implement the smaller fix. This leaves a large population of Firefox users vulnerable for an extended period of time. I can already see the Firefox developers scrambling to get a proper fix out when a wide-scale exploit surfaces.
Bad call, guys. You just put your reputation on the line. Here, let me get this said ahead of time: “I told you so!”