Mozilla patches Firefox 4, fixes programming bungle
Closes eight holes in new browser, including ASLR oversight
Computerworld - Mozilla on Thursday patched Firefox 4 for the first time, fixing eight flaws, including a major programming oversight that left the browser as vulnerable to attack on Windows 7 as on the 10-year-old Windows XP.
The company also plugged 15 holes in the still-supported Firefox 3.6, and issued its last security update for Firefox 3.5, which debuted in mid-2008.
Mozilla patched a total of 20 bugs in all versions of Firefox, 17 of them rated "critical," the company's top-most threat warning in its four-step scoring system.
Firefox 4.0.1, the first update to that browser since its March 22 launch, fixed seven critical flaws and one rated "low."
The most important of the bugs was a programming lapse that left Firefox 4 open to less-sophisticated attacks.
"The WebGLES libraries in the Windows version of Firefox were compiled without ASLR protection," stated the advisory labeled MSFA 2011-17. "An attacker who found an exploitable memory corruption flaw could then use these libraries to bypass ASLR on Windows Vista and Windows 7, making the flaw as exploitable on those platforms as it would be on Windows XP or other platforms."
WebGL is supported in shipping versions of Firefox and Google's Chrome, in a preview build of Opera Software's Opera, and will be backed by Safari in its next upgrade.
The Khronos Group, an industry consortium whose members include Mozilla, Google, Opera and Apple, released the final specification of WebGL 1.0 just last month.
ASLR, or address space layout randomization, is one of the security underpinnings of Windows Vista and Windows 7. It's designed to make it more difficult for attackers to locate addressable memory space that can be used to execute exploits.
"The WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions," Mozilla acknowledged. "WebGL was introduced in Firefox 4; older versions are not affected by these issues."
Mozilla credited a researcher who goes only by his first name, "Nils," for reporting the ASLR oversight. Nils may be best known for his work at the annual Pwn2Own hacking contest, where in 2009 he exploited Internet Explorer, Firefox and Safari in short order to win $15,000 in cash awards.
At 2010's Pwn2Own, Nils won $10,000 by sidestepping ASLR and DEP (data execution prevention), another anti-exploit technology found in Windows, to hack Firefox 3.6.
Mozilla also upgraded older editions of Firefox to 3.6.17 and 3.5.19, noting that the latter was the last security update for the aged browser.
"This is the last planned security and stability release for Firefox 3.5," said Christian Legnitto, who overseas Firefox releases. "All users are encouraged to upgrade to Firefox 4."
- IE6: Retired but not dead yet
- Chrome users won't give up, keep pressing Google to restore old-style new tab page
- Google quashes 31 vulnerabilities, restores Metro mode 'steppers' with Chrome 34
- Firefox's UI face-lift on track for April debut
- Ex-Mozilla engineer blames Microsoft's rules for Metro Firefox's death
- Mozilla patches 20 Firefox flaws, plugs Pwn2Own holes
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts