Mozilla fixes 16 flaws with Firefox 3.5.4

Computerworld - Mozilla today patched 16 vulnerabilities in Firefox, 11 of them critical, as it updated the open-source browser to version 3.5.4.

The 11 critical Firefox 3.5 vulnerabilities were located in a variety of components, including Web worker calls, the GIF color map parser, the string-to-number converter, a trio of third-party media libraries, and both the JavaScript and browser engines.

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in some of the advisories outlining the most serious flaws.

Firefox 3.0, which was first released in the summer of 2008 and will be retired from security support in January 2010, was also updated today with the release of version 3.0.15. The older browser received nine patches, four marked critical.

The disparity between the two versions' patch counts was due to several that affected only the newer Firefox 3.5, including the three critical bugs outlined in MFSA-2009-63 that required upgrades of the "liboggz," "libvorbis," and "liboggplay" open-source media libraries.

Three of the four vulnerabilities spelled out in MFSA-2009-64 generate browser crashes, while the last affects the TraceMonkey JavaScript engine that debuted in Firefox 3.5. Mozilla recommended users disable JavaScript in Firefox if they were unable or unwilling to patch the browser. Only one of the four engine crashes impacts Firefox 3.0.

Mozilla rated three of the 16 vulnerabilities as "moderate," the second-from-the-bottom ranking in its four-step system, and two as "low," its least serious rating.

Tuesday's updates came just a day before Mozilla is slated to release the first beta of Firefox 3.6, a minor update currently set to ship before the end of the year. At one point, Mozilla was hoping to unveil Firefox 3.6 Beta on Oct. 13, but several bugs delayed the preview.

Firefox 3.6 will be the first of two so-called "minor" upgrades that Mozilla intends to produce between now and the middle of 2010. Last month, Mozilla switched to a quicker-paced development cycle to bring new features or under-the-hood improvements to users faster, and to stay competitive in the again-aggressive browser market.

Mozilla is still hammering out how it will offer users Firefox 3.6 when it ships in final form. Some, including Firefox director Mike Beltzner, lean toward a security update-like mechanism, while others have argued for something more explicit, akin to the "major upgrade" invitations that Mozilla presents users of older editions from time to time.

"As proposed earlier in the summer, Firefox 3.6 will be primarily a release with security, stability, speed and capability enhancements, with no visible user interface changes over Firefox 3.5," Beltzner wrote in an Oct. 15 message to the "mozilla.dev.planning" forum. "As such, I think we should consider it as a candidate for a minor update, stretching our definition of what types of updates we can provide using that mechanism."

Web measurement company Net Applications says Firefox accounted for nearly 24% of the global browser market last month.

Firefox 3.5.4 and 3.0.15 will be available for Windows, Mac OS X and Linux directly from the Mozilla site when they're posted in the next few hours.

Current Firefox users, however, will be able to call up the browsers' update tools, or wait for automatic update notifications to appear in the next 48 hours.

Read more about spam, malware and vulnerabilities in Computerworld's Spam, Malware and Vulnerabilities Knowledge Center.