IT Jobs
Mozilla fixes holes in Firefox
Security update makes users less vulnerable to hacking
By Gregg Keizer | Computerworld US
Published: 10:12 GMT, 28 October 09
Mozilla on Tuesday patched 16 vulnerabilities in Firefox, 11 of them critical, as it updated the open source browser to version 3.5.4.
The 11 critical Firefox 3.5 vulnerabilities were located in a variety of components, including web worker calls, the GIF color map parser, the string to number converter, a trio of third party media libraries, and both the JavaScript and browser engines.
"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in some of the advisories outlining the most serious flaws.
Firefox developer releases open source messaging tool | Mozilla backtrack and unblocks Microsoft add-on for Firefox | Mozilla lets Google Chrome, other rivals run Firefox security plugin | Mozilla releases Firefox 3.6 beta
Firefox 3.0, which was first released in the summer of 2008 and will be retired from security support in January 2010, was also updated today with the release of version 3.0.15. The older browser received nine patches, four marked critical.
The disparity between the two versions' patch counts was due to several that affected only the newer Firefox 3.5, including the three critical bugs outlined in MFSA-2009-63 that required upgrades of the "liboggz," "libvorbis," and "liboggplay" open source media libraries.
Three of the four vulnerabilities spelled out in MFSA-2009-64 generate browser crashes, while the last affects the TraceMonkey JavaScript engine that debuted in Firefox 3.5. Mozilla recommended users disable JavaScript in Firefox if they were unable or unwilling to patch the browser. Only one of the four engine crashes impacts Firefox 3.0.
Mozilla rated three of the 16 vulnerabilities as "moderate," the second from the bottom ranking in its four step system, and two as "low," its least serious rating.
The updates came just a day before Mozilla is slated to release the first beta of Firefox 3.6, a minor update currently set to ship before the end of the year. At one point, Mozilla was hoping to unveil Firefox 3.6 Beta on 13 October, but several bugs delayed the preview.
Firefox 3.6 will be the first of two so called "minor" upgrades that Mozilla intends to produce between now and the middle of 2010. Last month, Mozilla switched to a quicker-paced development cycle to bring new features or under the bonnet improvements to users faster, and to stay competitive in the aggressive browser market.
Mozilla is still hammering out how it will offer users Firefox 3.6 when it ships in final form. Some, including Firefox director Mike Beltzner, lean toward a security update-like mechanism, while others have argued for something more explicit, akin to the "major upgrade" invitations that Mozilla presents users of older editions from time to time.
"As proposed earlier in the summer, Firefox 3.6 will be primarily a release with security, stability, speed and capability enhancements, with no visible user interface changes over Firefox 3.5," Beltzner wrote in an Oct. 15 message to the "mozilla.dev.planning" forum. "As such, I think we should consider it as a candidate for a minor update, stretching our definition of what types of updates we can provide using that mechanism."
Firefox 3.5.4 and 3.0.15 will be available for Windows, Mac OS X and Linux directly from the Mozilla site when they're posted in the next few hours.
Current Firefox users, however, will be able to call up the browsers' update tools, or wait for automatic update notifications to appear in the next 48 hours.
.gif)
Add your commentComments