Mozilla fixes 11 new flaws in Firefox, six critical
It also patches Firefox 2.0; just one more update coming for older browser
November 13, 2008 12:00 PM ETComputerworld - Mozilla Corp. on Wednesday patched 11 vulnerabilities in Firefox 3.0 -- and 12 bugs in the older Firefox 2.0 -- that could be used to compromise computers and steal information.
Yesterday's update patched virtually the same number of vulnerabilities as the last security update seven weeks ago.
Firefox 3.0.4, the fourth update since Mozilla launched the browser in June, fixes six flaws rated "critical," two "high," two "moderate," and one "low" in Mozilla's four-step scoring system. Most of the critical bugs could be used by hackers to introduce their own malicious code into a vulnerable system.
Among the most serious were a trio of vulnerabilities in the browser's layout and JavaScript engines, while others included a buffer overflow bug in the HTTP index format parser and one -- pegged as moderate -- in the file: protocol handler. Mozilla repeatedly patched protocol handler bugs in Firefox starting in July 2007.
That vulnerability was judged moderate by Mozilla because of extenuating circumstances. "It requires an attacker to have malicious code saved locally, then have a user open a chrome: document or privileged about: URI, and then open the malicious file in the same privileged tab," Mozilla said in its advisory.
Mozilla also updated the nearly retired Firefox to 2.0.0.18, patching all but two of the same vulnerabilities fixed in 3.0.4 and several others for good measure. Of the dozen bugs, six were rated critical. The 2.0.0.18 update will be the next-to-the-last one for the older Firefox 2.0, which will be dropped from support next month.
Before that happens, Mozilla will make one last effort to convince Firefox 2.0 users to upgrade. In two to three weeks, users will again be prompted to upgrade in a repeat of an offer first extended in August. Mozilla has been very successful in convincing users to upgrade; as of the end of October, 73% of users were running the newer Firefox 3.0, reported Web metrics firm Net Applications.
Not updated on Wednesday was Thunderbird, which remains at Version 2.0.0.17. It's not unusual for the e-mail client to lag behind Firefox in patching vulnerabilities; as in the past, several of the issues in Firefox are also present in Thunderbird. Because the most dangerous of the six shared vulnerabilities are in various elements of the browser's JavaScript support, Thunderbird users can protect themselves in the interim by disabling JavaScript.
At times, the gap between Firefox and Thunderbird patches has been more than a month. This time, however, Thunderbird should be updated soon; Version 2.0.0.18 entered beta testing yesterday.
Users can download the update for Windows, Mac OS X and Linux from the Mozilla site, call up their browser's built-in updater or wait for the automatic update notification, which typically appears within 48 hours.
Read more about security in Computerworld's Security Knowledge Center.
Mozilla
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Master Data Management Projects in Practice - An Information Difference Research Study
Information Difference conducted a survey of both end-user organizations and systems integrators aimed at gaining deeper insight into MDM implementations and their success...
Podcast: Promote your apps and services to the thriving BIRT user community
Listen to this podcast now!
Open Source Master Data Management: The Time is Right
MDM is a natural extension to data integration and data quality. Open source MDM introduces a new, more accessible approach. It reduces implementation...
Enabling Identity and Security Management with Open Source
Watch this complimentary webcast today!
Practical Open Source Data Integration: Case Studies & Implementation Examples
This third volume of Practical Open Source Data Integration: Case Studies & Implementation Examples presents selected case studies, illustrating real-life implementations of open...
Data in Action: Making the Planet Smarter
Register Now
The Top 10 Reasons for Choosing Open Source Data Integration
Are you trying to understand your options for data integration? This White Paper presents the top 10 reasons why organizations are choosing open...
The Benefits of IBM: The Savings of Open Source
Download Now
The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.
Computerworld Reports
Strategic Content ManagementLearn how the right Enterprise Content Management (ECM) solution can start saving you money within a week and pay for itself in as little as three months. These case studies and white papers provide practical information on how to go from theory to reality - to help you put together a plan that will achieve your content management and process automation goals. Enter the Strategic Content Management Zone now |


