Mozilla patches Firefox, but leaves some flaws unfixed
Although 14 vulnerabilities were fixed, several more remain
Computerworld - Mozilla Corp. updated Firefox Friday to patch 14 vulnerabilities, three of them critical, but pushed out the new versions without fixing several flaws.
Firefox 220.127.116.11 and Firefox 18.104.22.168, which originally were to release on Wednesday, were delayed to patch a series of bugs, including some disclosed this month by Polish researcher Michal Zelewski. Two others forwarded to Mozilla developers by Zelewski, however, didn't make it into today's updates.
"Neither of those will make this release," said Daniel Veditz, of the Mozilla security in an e-mail. "It is important that we get the security fixes we have into the hands of our users."
Of the bugs filed by Zelewski but not fixed in the updates, the most serious is a memory corruption flaw that could let attackers inject code remotely into Firefox-equipped machines simply by duping users into visiting a malicious Web page. "Firefox is susceptible to a seemingly pretty nasty, and apparently easily exploitable, memory corruption vulnerability," wrote Zelewski in the Bugzilla database.
Also unrepaired in the latest browser versions is a third Zelewski-discovered bug that could give cybercriminals a leg up when running phishing attacks.
Mozilla spelled out the security fixes in Firefox 22.214.171.124 and 126.96.36.199 here.
Firefox 188.8.131.52 is nearly at the end of its supported lifespan. After April 24, Mozilla will stop issuing security and stability updates to that edition.
Firefox 184.108.40.206 can be downloaded from the Mozilla Web site in versions for Windows, Mac OS X and Linux in 36 languages. Users can also update current editions with the Check for Updates command in the Help menu.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts