Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Firefox gets crash protection

Mozilla releases Firefox 3.6.4, updates nine flaws

Article comments

Mozilla on Tuesday patched nine vulnerabilities, six of them critical, in Firefox 3.6 and Firefox 3.5.

But rather than highlighting the security fixes in Firefox 3.6.4, the company instead emphasised the addition of crash protection, a move meant to keep the browser alive when popular plug-ins drop dead.

Updates to Firefox 3.6.4 and Firefox 3.5.10 fixed nine flaws for each version, although the total patch count came to 10 because two fixes affected only one of the pair.

Six of the nine vulnerabilities for each browser were rated "critical," Mozilla's highest threat ranking, indicating that hackers could use them to compromise a system running Firefox, then plant other malware on the machine.

Two were labeled "moderate," the second-lowest rating, while one was tagged as "low."

One of the critical flaws was reported to Mozilla by Nils, a German research who only goes by his first name.

Nils gained fame by winning cash prizes at the last two annual Pwn2Own hacking contests, sponsored by HP TippingPoint's Zero Day Initiative bug bounty program.

Last March, Nils took home $10,000 by sidestepping DEP (data execution prevention) and ASLR (address space layout randomization) in Windows 7 to exploit the then-current Firefox 3.6.2.

It was Nils' second Pwn2Own victory; last year he grabbed $15,000 by exploiting not only Firefox, but also Safari and IE8.

Mozilla also marked a clutch of bugs in the browser and JavaScript engines as critical, although it only assumed the flaws could be exploited.

"Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said, using boilerplate language it often inserts into browser or JavaScript engine security advisories.

But Mozilla wanted all eyes on Firefox 3.6.4 for a different reason. "Results from our beta testing show Firefox 3.6.4 will significantly reduce the number of Firefox crashes experienced by users who are watching online videos or playing games," said Christian Legnitto, who oversees the Firefox releases, in a post to Mozilla's blog .

"When a plug-in crashes or freezes while using Firefox, users can enjoy uninterrupted browsing by simply refreshing the page," he said.

Firefox 3.6.4 currently recovers only from crashes of Adobe's Flash Player, Apple 's QuickTime and Microsoft 's Silverlight plug-ins, and is available only in Firefox for Windows and Linux . The company is still working on the feature, which it has dubbed "out of process plug-ins," or OOPP, for the Mac version.

Mozilla has had an eye on Flash for OOPP treatment because Adobe's software has been responsible for more Firefox crashes than any other plug-in, according to the company.

It has also worked other features into Firefox to deal with problems in that plug-in, and others. Last year, for example, Mozilla kicked off plug-in checking , a feature that determines whether a user is running an outdated, and possibly vulnerable, plug-in, by focusing on Flash.

A keystone of the "Lorenz" project - a move by Mozilla to quickly add features to Firefox via regular security updates rather than waiting for bigger upgrades - OOPP was designed as a stop-gap measure for Firefox 3.6 when work on the full-scale "Electrolysis" process separation project was shifted to Firefox 4 , a major update currently scheduled to ship by the end of 2010.

The addition of OOPP led to several delays of Firefox 3.6.4, which at one point was slated for an early May release, then pushed to June 1 and beyond.

Mozilla has no plans to add OOPP to the older Firefox 3.5 line, it said in an FAQ on the new crash protection feature .

Users can update to Firefox 3.6.4 by downloading the new edition or by selecting "Check for Updates" from the Help menu in the browser. Firefox 3.5 can obtain the patches by calling up the integrated update tool.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *