Mozilla fixes memory leaks and security with Firefox 15
Thirty one security flaws patched, nearly half reported by one Google engineer
By Gregg Keizer | Computerworld US | Published: 08:50, 29 August 2012
Mozilla has launched Firefox 15, boasting that users will see "drastic improvements in performance" because of new code that stops add-ons from leaking memory.
The open-source developer also patched 31 vulnerabilities, 23 of them dubbed "critical," the top-most threat in Mozilla's system. Five were labeled "high" and three were pegged as "moderate."
Nearly half of the total were reported by Abhishek Arya, who goes by the nickname "Inferno," of the Google Chrome security team, said Mozilla in an accompanying advisory. Another four were submitted by a pair of long-time contributors to Google's bug-bounty program.
Related Articles on Techworld
One of the more interesting vulnerabilities could allow an attacker to hijack a PC after a Firefox install, assuming he or she could plant a file in the Windows root directory beforehand.
Twenty-six of the 31 vulnerabilities were also patched in a companion update to Firefox ESR, or Extended Support Release, the version designed for businesses. Unlike the normal Firefox build, ESR does not change its feature set or user interface (UI) for more than a year, although it does receive security patches.
Mozilla last upgraded Firefox on 17 July. The company issues a new version every six weeks under the rapid-release schedule it adopted last year.
Feature changes to Firefox 15 included new support for SPDY v3, the Google-designed protocol that promises faster and more secure page loading, and the final installment of the browser's silent update service. Firefox 15 applies regularly-scheduled and emergency updates entirely in the background so that the user no longer sees an update installation progress bar.
Called "background updating" by Mozilla, the process is invisible to users because the update is automatically applied, then staged in a different directory or folder than the current copy of the browser. The next time Firefox is launched, the staged directory swaps places with the active directory.
Mozilla has worked on silent updating, and chased Chrome's similar feature, for over two years.
The addition Mozilla touted, however, was a continuation of more than a year's work on reducing the browser's memory footprint, particularly in plugging "leaks" created when code doesn't properly release memory after a chore is completed. The leaked memory is never returned to the available pool, reducing what's available for other applications, or even for Firefox at a later point. Eventually, performance suffers.
Complaints about Firefox's memory usage have historically centered on the browser's habit of not releasing memory when tabs are closed.
Firefox 15 doesn't look any different, but Mozilla claims users will see "drastic improvements in performance" because the browser stops third-party add-ons from leaking memory like the proverbial sieve.
In June 2011, Mozilla kicked off "MemShrink," an effort to plug those leaks. With Firefox's own problems addressed -- in a blog post today, Asa Dotzler, director of Firefox, said Mozilla has "fixed the larger Firefox issues" -- the company turned attention to third-party add-ons.
"It was time to tackle the next big source of memory leak: poorly written add-ons," said Dotzler.
Although engineers worked with some add-on developers one-on-one, Mozilla could not scale that effort. Instead, it crafted a leak-prevention mechanism that blocked the most common kind of add-on memory mistake, in which the extra copies of a website aren't released after a tab has closed.
"These pages pile up, and can eat massive amounts of memory for no user benefit. They leak," Dotzler said.
Mozilla's Nicolas Nethercote, the developer in charge of the MemShrink project, called that kind of leak a "zombie compartment." According to Nethercote, zombies accounted for 90% of the identified add-on leaks.
In a post to his own blog last month, Nethercote trumpeted the new leak prevention code, citing one example where Firefox 15 used just 24% as much memory as Firefox 14 after tabs engaged by an add-on were closed.
"We are confident that Firefox 15 fixes the vast majority of add-on memory leaks, and that as a result, many users will see drastic improvements in Firefox's performance and stability," said Nethercote.
According to Web measurement company Net Applications, Firefox users accounted for 20.2% of all those who went online last month. Irish measurement firm StatCounter, meanwhile, pegged Firefox's global share for July at 23.7%.
Windows, Mac and Linux editions of Firefox 15 can be downloaded manually from Mozilla's site. Installed copies will be upgraded automatically.
The next version of Firefox is scheduled to ship 9 October.