Critical security flaws fixed in Firefox update

IDG News Service - Mozilla Corp. has released a new version of its Firefox browser containing critical security updates. Version 1.5.0.1 of the browser, released Wednesday, also contains a number of "stability" fixes to address problems causing the browser to gum up the performance of some systems.
Wednesday's release marks the first time Mozilla developers have used the product's new automatic update mechanism, which was introduced with Version 1.5 of the browser.
By Thursday, some users were complaining on online forums that they had not been automatically notified of the software updates, as expected. But this delay is happening because Mozilla is staggering the updates to prevent its servers from overloading, according to Mike Schroepfer, vice president of engineering at the unit of the Mozilla Foundation.
Before Wednesday's software release, the updating service had been tested with about 500,000 early testers, and it worked fine, Schroepfer said. "There's no need to panic," he said. "I have high confidence that [all users] will get the update."
The new release's eight security fixes have been cumulatively been rated as "highly critical" by Copenhagen-based security firm Secunia, because some of them could theoretically be exploited to take over an unpatched PC.
However, this risk is mitigated because there is no known code in circulation that exploits any of the bugs, according to Schroepfer. "They're all things we've found internally," he said.
As of Thursday morning, Firefox users had downloaded about 10 million updates, and Schroepfer estimated that another 10 million to 15 million were to come.
Though the new release is not supposed to break any Firefox extensions, some users had reported problems with some of these add-on programs. Marc Orchant, a blogger and marketing executive at VanDyke Software Inc., said that the update broke four of the 20 extensions he uses.
By Thursday morning, two out of his three PCs running Firefox had updated, and Orchant was generally pleased with the experience. "Both of them updated without incident," he said "and it did a very nice job of telling me which extensions it was breaking for me."
Orchant was also impressed that Mozilla developers had taken steps to address memory-leak problems that were causing his browser to consume as much as 200MB of system resources at times. "They appear to have fixed the most significant memory leaks," he said. "It seems to be hovering at the 45MB range now."
Also on Thursday, Secunia warned of a "moderately critical" bug in the way Mozilla's Thunderbird e-mail client processes e-mail that uses the JavaScript Web programming language. Usersare advised to disable JavaScript and to be careful about opening e-mail from untrusted sources in order to avoid any associated problems, Secunia said.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.