Update: Mozilla patches six Firefox vulnerabilities

Computerworld - Editor's note: This story has been updated with more complete information from Mozilla.

Mozilla on Monday patched Firefox 3.5 and Firefox 3.0 to quash six security vulnerabilities, including two unveiled last week at Black Hat and a third Mozilla itself revealed last month.

Firefox 3.0.13, the update to the older browser that Mozilla will drop off the support list in January 2010, repairs three bugs, while Firefox 3.5.2 fixes four. The disparity between the final total and the sub-totals for each version results from a one-patch overlap between 3.0.13 and 3.5.2.

Two of the vulnerabilities patched by Firefox 3.0.13 were disclosed last Thursday by Dan Kaminsky of IOActive, and a security consultant who calls himself Moxie Marlinspike, at Black Hat.

Independently, Kaminsky, best known as the discoverer of the DNS (Domain Name Server) vulnerability last summer, and Marlinspike demonstrated how hackers could exploit flaws in browsers' implementation of SSL (Secure Socket Layer), the Web's default encryption protocol.

Attackers could hijack a Web session to steal critical passwords or trick Firefox users into accepting a bogus software update that contained malware.

Firefox 3.5 was already safe from such attacks, since Mozilla's developers had used a newer, more secure version of NSS (Network Security Services), a set of code "libraries" for baking SSL into browsers.

Mozilla also quashed a bug in 3.0.13 that could be used by identity thieves to spoof the URL in Firefox's address bar. The company pegged the flaw as a "moderate" danger.

On the other hand, Firefox 3.5.2 patched four vulnerabilities, including the spoofing issue, two critical flaws in JavaScript handling and the browser engine, and a bug in how the browser handles replies from a SOCKS5 proxy. Mozilla rated the last as a "low" threat since it found no evidence of memory corruption, necessary to let hackers inject their own malicious code into the machine.

The SOCKS5 bug had been fixed in Firefox 3.0.12, which Mozilla issued July 21, but not in the fast-track update rushed out for Firefox 3.5 on July 16 to stymie a zero-day flaw.

Mike Beltzner, director of Firefox, explained why the SOCKS5 bug fix didn't make it into the July 16 Firefox 3.5.1, even though it shipped before 3.0.12.

"Firefox 3.5.1 was a fast-turn release to patch a critical security issue that had been publicly disclosed, putting active users at risk," Beltzner said in an e-mail reply to questions. "A patch for the SOCKS5 issue -- which was a non-critical security issue, as no memory corruption was possible -- was not yet available for the Firefox 3.5 branch, so we chose not to hold the Firefox 3.5.1 release for that issue, as it would unduly delay releasing a fix that would protect users from a more critical issue."

According to Web metrics company Net Applications, Firefox accounted for 22.5% of all browsers used worldwide during July. About three out of four Firefox users are still running 3.x, not the newer 3.5.

Firefox 3.5.2 and 3.0.13 can be downloaded for Windows, Mac OS X and Linux, but current users can also call up the browsers' updaters, or wait for automatic update notifications to appear in the next 48 hours.