Update: Mozilla patches six Firefox vulnerabilities
Firefox 3.0.13 fixes SSL flaws divulged at Black Hat; 3.5.2 plugs known SOCKS5 hole
Computerworld - Editor's note: This story has been updated with more complete information from Mozilla.
Mozilla on Monday patched Firefox 3.5 and Firefox 3.0 to quash six security vulnerabilities, including two unveiled last week at Black Hat and a third Mozilla itself revealed last month.
Firefox 3.0.13, the update to the older browser that Mozilla will drop off the support list in January 2010, repairs three bugs, while Firefox 3.5.2 fixes four. The disparity between the final total and the sub-totals for each version results from a one-patch overlap between 3.0.13 and 3.5.2.
Two of the vulnerabilities patched by Firefox 3.0.13 were disclosed last Thursday by Dan Kaminsky of IOActive, and a security consultant who calls himself Moxie Marlinspike, at Black Hat.
Independently, Kaminsky, best known as the discoverer of the DNS (Domain Name Server) vulnerability last summer, and Marlinspike demonstrated how hackers could exploit flaws in browsers' implementation of SSL (Secure Socket Layer), the Web's default encryption protocol.
Attackers could hijack a Web session to steal critical passwords or trick Firefox users into accepting a bogus software update that contained malware.
Firefox 3.5 was already safe from such attacks, since Mozilla's developers had used a newer, more secure version of NSS (Network Security Services), a set of code "libraries" for baking SSL into browsers.
Mozilla also quashed a bug in 3.0.13 that could be used by identity thieves to spoof the URL in Firefox's address bar. The company pegged the flaw as a "moderate" danger.
On the other hand, Firefox 3.5.2 patched four vulnerabilities, including the spoofing issue, two critical flaws in JavaScript handling and the browser engine, and a bug in how the browser handles replies from a SOCKS5 proxy. Mozilla rated the last as a "low" threat since it found no evidence of memory corruption, necessary to let hackers inject their own malicious code into the machine.
The SOCKS5 bug had been fixed in Firefox 3.0.12, which Mozilla issued July 21, but not in the fast-track update rushed out for Firefox 3.5 on July 16 to stymie a zero-day flaw.
Mike Beltzner, director of Firefox, explained why the SOCKS5 bug fix didn't make it into the July 16 Firefox 3.5.1, even though it shipped before 3.0.12.
"Firefox 3.5.1 was a fast-turn release to patch a critical security issue that had been publicly disclosed, putting active users at risk," Beltzner said in an e-mail reply to questions. "A patch for the SOCKS5 issue -- which was a non-critical security issue, as no memory corruption was possible -- was not yet available for the Firefox 3.5 branch, so we chose not to hold the Firefox 3.5.1 release for that issue, as it would unduly delay releasing a fix that would protect users from a more critical issue."
According to Web metrics company Net Applications, Firefox accounted for 22.5% of all browsers used worldwide during July. About three out of four Firefox users are still running 3.x, not the newer 3.5.
Firefox 3.5.2 and 3.0.13 can be downloaded for Windows, Mac OS X and Linux, but current users can also call up the browsers' updaters, or wait for automatic update notifications to appear in the next 48 hours.
Security Alert
- N.J. mayor arrested on hacking, conspiracy charges
- Untethered jailbreak for iOS 5.1.1 available for download
- Lawmakers call on DOJ to reopen investigation into Google Wi-Fi spying
- Researchers propose TLS extension to detect rogue SSL certificates
- GAO: U.S. gov't IT reform slower than claimed
- European privacy regulators want more detail on Google's policy changes
- Yahoo leaks private key, allows anyone to build Yahoo-signed Chrome extensions
- Security researcher urges IT to keep up with SAP patches
- 10 questions for Imperva CTO Amichai Shulman
- Bounty hunters find 8 Google services bugs
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Practice Management: Double Billing Rate and Improve Patient Services
- Would you like to double your billing rate and achieve faster payment for services?
Download this customer success story to see how One Health... - Mission Critical Data Explosion and Customer Case Study
- Would you like to double your tier 1 storage capacity while simultaneously reducing your storage footprint?
Download this customer success story to see how... - Protecting Against Database Attacks and Insider Threats: Top 5 Scenarios
- Read this new eBook to learn the top five scenarios and essential best practices for preventing database attacks and insider threats.
- Database Activity Monitoring Is Evolving
- Read the analyst report and learn how you can leverage the core capabilities of a DAP solution for better database security.
- Establishing a Strategy for Database Security is No Longer Optional
- The options for securing increasingly valuable databases are very broad and deep, and can be confusing. This research provides an overview of three... All Malware and Vulnerabilities White Papers
- Distributed Database Security with Real-time Monitoring
- View this demo and learn how IBM InfoSphere Guardium database activity monitoring can help protect your sensitive data in distributed DBMS environments with...
- InfoSphere Warehouse Packs Demo
- These flash modules make warehousing more tangible and relevant to business users through detailed explanations of the InfoSphere Warehouse Packs.
- Delivery Management -- Extending Lifecycle Management
- Date: Wednesday, June 20, 2012, 1:00 PM EDT
Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs,... - Leverage automation today to reduce IT complexity
- Date: Tuesday, June 5, 2012, 2:00 PM EDT
Whether your B2B complexity is caused by multiple technologies due to M&A, business or application specific... - Redefine Expectations in the Data Center
- Need to do more with less? Watch this video to learn how HP ProLiant Gen8 servers can help your business deploy servers three... All Malware and Vulnerabilities Webcasts