Mozilla Updates Firefox Security, 3.6 Beta on Deck Six Critical Vulnerabilities Patched in Firefox 3.5.4 Release Sean Michael Kerner
It's a busy time for Mozilla Firefox developers. Late Tuesday, Mozilla released Firefox 3.5.4, updating its browser to address issues outlined in 11 new security advisories — more than half of them for critical flaws.
On the other side of the spectrum, Mozilla today is set to release the first beta of the next version of its browser, Firefox 3.6.
The new Firefox releases come as the open source browser continues to gain new users, with Mozilla CEO John Lilly tweeting earlier this week that Firefox has gained 30 million new users in the last eight weeks.
With the 3.5.4 update, Mozilla is now turning its attention to patching some common flaws.
Flaws ranked as critical in Mozilla's advisory include one titled "Crashes with evidence of memory corruption." With the previous Firefox 3.5.3 release in September, Mozilla also patched Firefox for memory corruption flaws.
There is also a pair of critical heap buffer overflow patches. One addresses an issue where the buffer overflow comes from how Firefox parses GIF image colors, while the other deals with string-to-number conversion.
The 3.5.4 release also updates Firefox's media libraries in an effort to fix memory safety bugs.
"Mozilla upgraded several third-party libraries used in media rendering to address multiple memory safety and stability bugs identified by members of the Mozilla community," Mozilla stated in its advisory. "Some of the bugs discovered could potentially be used by an attacker to crash a victim's browser and execute arbitrary code on their computer."
Among the libraries fixed by the update are the liboggz, libvorbis, and liboggplay, which are used by Firefox 3.5 and its support for the HTML 5 video tag.
Another flaw fixed in Firefox 3.5.4 involves a user's form history potentially being stolen by an attacker.
"A malicious Web page could synthesize events such as mouse focus and key presses on behalf of the victim and trick the browser into auto-filling the form fields with history entries and then reading the entries," Mozilla said in its advisory.
Downloaded files were also potentially at risk from manipulated by attackers. The 3.5.4 update fixes one flaw that potentially could have enabled an attacker to tamper with a downloaded file, though Mozilla rates the risk as low.
"If an attacker had local access to a victim's computer and knew the name of a file the victim intended to open through the Download Manager, he could use this vulnerability to place a malicious file in the world-writable directory used to save temporary downloaded files and cause the browser to choose the incorrect file when opening it," Mozilla said in its advisory on the issue.
A second flaw centering on downloaded files and fixed in the 3.5.4 update deals with a potential file name spoofing vulnerability. An attacker could have potentially manipulated the name of a file to make an executable file look like a non-executable file.
Firefox 3.6
Just as Firefox 3.5.4 is out to provide security and stability fixes for users, developers are set to deliver the Firefox 3.6 Beta 1 release today.
Officially, the 3.6 release is being described by Mozilla as a minor release. The general distinction between Mozilla's major and minor releases is that a minor update introduces few changes and aims to enable users to migrate more quickly than a major release.
For instance, current 3.5.4 users will get an automated update notification for Firefox 3.6 once it has been completed. As a result, there is a direct path from the 3.5.x releases to the 3.6 browser.
In contrast, Mozilla considered Firefox 3.5 a major release, and it had a different update mechanism that enabled users to choose when to upgrade. Until they did so, existing Firefox 3.0.x users were able to stay with Firefox 3.0.x.
That's not to say there aren't significant changes in Firefox 3.6. Among the supported new features is a new device orientation feature. So if a device moves horizontally or vertically, the orientation of the browser changes accordingly.
The way Firefox 3.6 will handle the machine orientation info is by way of a simple Javascript API that developers can access. The new Javascript event enables developers to listen for changes in orientation and have their application respond accordingly.
