Update: Mozilla patches six Firefox vulnerabilities
Firefox 3.0.13 fixes SSL flaws divulged at Black Hat; 3.5.2 plugs known SOCKS5 hole
Computerworld - Editor's note: This story has been updated with more complete information from Mozilla.
Mozilla on Monday patched Firefox 3.5 and Firefox 3.0 to quash six security vulnerabilities, including two unveiled last week at Black Hat and a third Mozilla itself revealed last month.
Firefox 3.0.13, the update to the older browser that Mozilla will drop off the support list in January 2010, repairs three bugs, while Firefox 3.5.2 fixes four. The disparity between the final total and the sub-totals for each version results from a one-patch overlap between 3.0.13 and 3.5.2.
Two of the vulnerabilities patched by Firefox 3.0.13 were disclosed last Thursday by Dan Kaminsky of IOActive, and a security consultant who calls himself Moxie Marlinspike, at Black Hat.
Independently, Kaminsky, best known as the discoverer of the DNS (Domain Name Server) vulnerability last summer, and Marlinspike demonstrated how hackers could exploit flaws in browsers' implementation of SSL (Secure Socket Layer), the Web's default encryption protocol.
Attackers could hijack a Web session to steal critical passwords or trick Firefox users into accepting a bogus software update that contained malware.
Firefox 3.5 was already safe from such attacks, since Mozilla's developers had used a newer, more secure version of NSS (Network Security Services), a set of code "libraries" for baking SSL into browsers.
Mozilla also quashed a bug in 3.0.13 that could be used by identity thieves to spoof the URL in Firefox's address bar. The company pegged the flaw as a "moderate" danger.
Mike Beltzner, director of Firefox, explained why the SOCKS5 bug fix didn't make it into the July 16 Firefox 3.5.1, even though it shipped before 3.0.12.
"Firefox 3.5.1 was a fast-turn release to patch a critical security issue that had been publicly disclosed, putting active users at risk," Beltzner said in an e-mail reply to questions. "A patch for the SOCKS5 issue -- which was a non-critical security issue, as no memory corruption was possible -- was not yet available for the Firefox 3.5 branch, so we chose not to hold the Firefox 3.5.1 release for that issue, as it would unduly delay releasing a fix that would protect users from a more critical issue."
According to Web metrics company Net Applications, Firefox accounted for 22.5% of all browsers used worldwide during July. About three out of four Firefox users are still running 3.x, not the newer 3.5.
Firefox 3.5.2 and 3.0.13 can be downloaded for Windows, Mac OS X and Linux, but current users can also call up the browsers' updaters, or wait for automatic update notifications to appear in the next 48 hours.
- N.C. State researchers devise tool that detects Android malware
- Encrypted communications to take center stage at Cebit
- The tangled tale of Mt. Gox's missing millions
- NSA used 'European bazaar' to spy on EU citizens
- Trust issue looms large for tech companies capitalizing on personal data
- Groups ask FTC to investigate Facebook's purchase of WhatsApp
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Cisco patches flaws in routers, wireless LAN controllers
- Tracking metadata can be useful -- and proper
- CIO not the only one to blame for Target breach
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts