Mozilla patches critical Firefox bugs
No need to update newest edition, Firefox 3.6; flaws already fixed
Computerworld - Mozilla on Wednesday patched five vulnerabilities, three of them critical, in older editions of Firefox and in the process extended the support life of Firefox 3.0 by at least one more month.
The newest Mozilla browser, Firefox 3.6, already contains the patches.
Hackers able to exploit any of the three critical bugs would be able to inject their own malware onto the machine, Mozilla noted in the accompanying advisories. "Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," read the advisory dedicated to the browser engine issue.
The remaining two vulnerabilities , both rated "moderate" in Mozilla's four-step scoring system, were bugs that could be exploited in cross-site scripting attacks.
One of the cross-site scripting flaws was reported by a security researcher working for browser rival Microsoft, marking the second time in two days that Microsoft experts were credited with passing along vulnerability information to a competitor. Yesterday, Adobe said Microsoft had found and reported a critical flaw in Reader and Acrobat.
Firefox 3.6 does not need to be updated; the five vulnerabilities were addressed before Mozilla shipped the browser Jan. 21.
The last time that Mozilla issued a security update for Firefox was Jan. 5, when it fixed a flaw in the browser's upgrade mechanism and patched a bug that programmers inadvertently introduced the month before.
With the update to Firefox 3.0.18, Mozilla also extended the support lifespan of the 2008 browser beyond the January cutoff it had earlier announced. Mozilla did not immediately respond to questions about when it plans to officially retire the version. In the past, Mozilla has discontinued security updates for a browser approximately six months after the release of a newer edition; Firefox 3.5, the immediate successor to version 3.0, shipped on June 30, 2009.
Firefox accounts for 24.4% of the browser market, according to the most recent data from metrics company NetApplications.com. Over three-fourths of Firefox users ran version 3.5 last month, while the remainder ran the older 3.0.
Firefox 3.5.8 can be downloaded for Windows, Mac OS X and Linux from the Mozilla site. Current Firefox users can instead call up the browsers' update tools, or wait for automatic update notifications to appear in the next 48 hours.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Web Apps in Computerworld's Web Apps Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Face Time Anytime Real-time communications facilitates team collaboration from nearly anywhere in the world. With facts and figures you can use to justify an investment
- Riverbed Stingray Application Firewall: Securing Cloud Applications with a Distributed Web Application Firewall Responsibility over IT security is moving away from the network and IT infrastructure and to the application and software architecture itself. IT organizations...
- Now is the time to implement a video conference solution Video conferencing is getting a lot of buzz lately due to the recent cost decrease, making it tangible for many law firms. It's...
- Video drives engagement Achieving maximum results means building a solid platform and network infrastructure. As digital age unfolds, it's clear that the ability to communicate effectively...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Web Apps White Papers | Webcasts