Mozilla delivers silent updating with Firefox 12 release

Patches 14 security bugs in the desktop browser, 19 in the mobile version

Mozilla today released Firefox 12, patching 14 security bugs in the browser and moving it one step closer to matching rival Chrome in silent updating.

The latest in the line of updates that have rolled off the Mozilla development line every six weeks since mid-2011, Firefox 12 fixed seven vulnerabilities labeled "critical," the highest threat ranking in Mozilla's four-step scoring, four bugs tagged "high" and three pegged "moderate."

Mozilla also patched 19 other bugs, all critical, in the mobile edition of Firefox, which runs on the Android platform.

Among the 14 desktop vulnerabilities, Mozilla patched three that could be used by hackers in cross-site scripting (XSS) attacks, one that applied only to Windows Vista and Windows 7 PCs with hardware acceleration disabled and another in image rendering done by the WebGL 3D standard.

Two of the bugs were reported by security researchers at rivals Google and Opera Software. The Google engineer also notified Mozilla of all 19 vulnerabilities in the FreeType library that affected the mobile version of the browser.

Unlike Google, Mozilla does not call out bounties it's paid to outside researchers for reporting vulnerabilities, even though Mozilla does have a reward program.

As usual, Mozilla did not explicitly say that all the flaws could be exploited, but instead hedged with its traditional phrasing of, "We presume that with enough effort at least some of these could be exploited to run arbitrary code."

Eleven of the 14 bugs were also patched in Firefox ESR, or Extended Support Release, the longer-lived edition designed for enterprises that don't want to update workers' machines every few weeks.

The current version of Firefox ESR is based on Firefox 10, which shipped in December 2011. ESR receives only security updates during its 54-week lifespan. The first iteration of ESR won't appreciably change until November 2012, and will be supported with security patches until early February 2013.

As expected, Mozilla did not release fixes for Firefox 3.6, the 2010 browser it officially retired today.

Mozilla has been nagging Firefox 3.6 users with pleas to upgrade for weeks, and will take the unusual step of automatically upgrading them to Firefox 12 early next month.

Although Mozilla touted a total of 85 improvements for Web developers, it focused on the feature that brought the browser, at least on Windows, one step closer to true "silent" updating.

Firefox update dialogue box
Firefox 12 skirts Windows' UAC prompt, but by clearing the highlighted box, users can restore the warning.
1 2 Page
FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies