Mozilla patches Firefox 4, fixes programming bungle
Closes eight holes in new browser, including ASLR oversight
Computerworld - Mozilla on Thursday patched Firefox 4 for the first time, fixing eight flaws, including a major programming oversight that left the browser as vulnerable to attack on Windows 7 as on the 10-year-old Windows XP.
The company also plugged 15 holes in the still-supported Firefox 3.6, and issued its last security update for Firefox 3.5, which debuted in mid-2008.
Mozilla patched a total of 20 bugs in all versions of Firefox, 17 of them rated "critical," the company's top-most threat warning in its four-step scoring system.
Firefox 4.0.1, the first update to that browser since its March 22 launch, fixed seven critical flaws and one rated "low."
The most important of the bugs was a programming lapse that left Firefox 4 open to less-sophisticated attacks.
"The WebGLES libraries in the Windows version of Firefox were compiled without ASLR protection," stated the advisory labeled MSFA 2011-17. "An attacker who found an exploitable memory corruption flaw could then use these libraries to bypass ASLR on Windows Vista and Windows 7, making the flaw as exploitable on those platforms as it would be on Windows XP or other platforms."
WebGL is supported in shipping versions of Firefox and Google's Chrome, in a preview build of Opera Software's Opera, and will be backed by Safari in its next upgrade.
The Khronos Group, an industry consortium whose members include Mozilla, Google, Opera and Apple, released the final specification of WebGL 1.0 just last month.
ASLR, or address space layout randomization, is one of the security underpinnings of Windows Vista and Windows 7. It's designed to make it more difficult for attackers to locate addressable memory space that can be used to execute exploits.
"The WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions," Mozilla acknowledged. "WebGL was introduced in Firefox 4; older versions are not affected by these issues."
Mozilla credited a researcher who goes only by his first name, "Nils," for reporting the ASLR oversight. Nils may be best known for his work at the annual Pwn2Own hacking contest, where in 2009 he exploited Internet Explorer, Firefox and Safari in short order to win $15,000 in cash awards.
At 2010's Pwn2Own, Nils won $10,000 by sidestepping ASLR and DEP (data execution prevention), another anti-exploit technology found in Windows, to hack Firefox 3.6.
Mozilla also upgraded older editions of Firefox to 3.6.17 and 3.5.19, noting that the latter was the last security update for the aged browser.
"This is the last planned security and stability release for Firefox 3.5," said Christian Legnitto, who overseas Firefox releases. "All users are encouraged to upgrade to Firefox 4."
- Microsoft's IE steps back from the brink of irrelevance
- Firefox falters, falls to record low in overall browser share
- Firefox risks user backlash by adding search box to new tab page
- Google unseats Microsoft as the U.S. browser powerhouse
- Safari, Chrome push to mask URLs
- Chrome on Windows champs at the 64-bit
- Google pulls trigger, cripples some Chrome add-ons
- Microsoft shoots to shorten Internet Explorer's long tail
- Firefox risks irrelevance as mobile browsing booms
- Firefox UI revamp sparks complaints, searches for alternatives
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!