Mozilla patches 9 Firefox bugs, adds plug-in crash protection
Ships delayed Firefox 3.6.4 with new feature that keeps Windows, Linux browsers running when Flash, QuickTime or Silverlight go south
Computerworld - Mozilla on Tuesday patched nine vulnerabilities, six of them critical, in Firefox 3.6 and Firefox 3.5.
But rather than highlighting the security fixes in Firefox 3.6.4, the company instead emphasized the addition of crash protection, a move meant to keep the browser alive when popular plug-ins drop dead.
Updates to Firefox 3.6.4 and Firefox 3.5.10 fixed nine flaws for each version, although the total patch count came to 10 because two fixes affected only one of the pair.
Six of the nine vulnerabilities for each browser were rated "critical," Mozilla's highest threat ranking, indicating that hackers could use them to compromise a system running Firefox, then plant other malware on the machine.
Two were labeled "moderate," the second-lowest rating, while one was tagged as "low."
One of the critical flaws was reported to Mozilla by Nils, a German research who only goes by his first name.
Nils gained fame by winning cash prizes at the last two annual Pwn2Own hacking contests, sponsored by HP TippingPoint's Zero Day Initiative bug bounty program.
It was Nils' second Pwn2Own victory; last year he grabbed $15,000 by exploiting not only Firefox, but also Safari and IE8.
But Mozilla wanted all eyes on Firefox 3.6.4 for a different reason. "Results from our beta testing show Firefox 3.6.4 will significantly reduce the number of Firefox crashes experienced by users who are watching online videos or playing games," said Christian Legnitto, who oversees the Firefox releases, in a post to Mozilla's blog.
"When a plug-in crashes or freezes while using Firefox, users can enjoy uninterrupted browsing by simply refreshing the page," he said.
Firefox 3.6.4 currently recovers only from crashes of Adobe's Flash Player, Apple's QuickTime and Microsoft's Silverlight plug-ins, and is available only in Firefox for Windows and Linux. The company is still working on the feature, which it has dubbed "out of process plug-ins," or OOPP, for the Mac version.
Mozilla has had an eye on Flash for OOPP treatment because Adobe's software has been responsible for more Firefox crashes than any other plug-in, according to the company.
It has also worked other features into Firefox to deal with problems in that plug-in, and others. Last year, for example, Mozilla kicked off plug-in checking, a feature that determines whether a user is running an outdated, and possibly vulnerable, plug-in, by focusing on Flash.
A keystone of the "Lorenz" project -- a move by Mozilla to quickly add features to Firefox via regular security updates rather than waiting for bigger upgrades -- OOPP was designed as a stop-gap measure for Firefox 3.6 when work on the full-scale "Electrolysis" process separation project was shifted to Firefox 4, a major update currently scheduled to ship by the end of 2010.
The addition of OOPP led to several delays of Firefox 3.6.4, which at one point was slated for an early May release, then pushed to June 1 and beyond.
Mozilla has no plans to add OOPP to the older Firefox 3.5 line, it said in an FAQ on the new crash protection feature.
Users can update to Firefox 3.6.4 by downloading the new edition or by selecting "Check for Updates" from the Help menu in the browser. Firefox 3.5 can obtain the patches by calling up the integrated update tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Desktop Apps White Papers | Webcasts