Mozilla acts as plumber, plugs add-on memory leaks with Firefox 15

Computerworld - Mozilla today launched Firefox 15, boasting that users will see "drastic improvements in performance" because of new code that stops add-ons from leaking memory.

The open-source developer also patched 31 vulnerabilities, 23 of them dubbed "critical," the top-most threat in Mozilla's system. Five were labeled "high" and three were pegged as "moderate."

Nearly half of the total were reported by Abhishek Arya, who goes by the nickname "Inferno," of the Google Chrome security team, said Mozilla in an accompanying advisory. Another four were submitted by a pair of long-time contributors to Google's bug-bounty program.

One of the more interesting vulnerabilities could allow an attacker to hijack a PC after a Firefox install, assuming he or she could plant a file in the Windows root directory beforehand.

Twenty-six of the 31 vulnerabilities were also patched in a companion update to Firefox ESR, or Extended Support Release, the version designed for businesses. Unlike the normal Firefox build, ESR does not change its feature set or user interface (UI) for more than a year, although it does receive security patches.

Mozilla last upgraded Firefox on July 17. The company issues a new version every six weeks under the rapid-release schedule it adopted last year.

Feature changes to Firefox 15 included new support for SPDY v3, the Google-designed protocol that promises faster and more secure page loading, and the final installment of the browser's silent update service. Firefox 15 applies regularly-scheduled and emergency updates entirely in the background so that the user no longer sees an update installation progress bar.

Called "background updating" by Mozilla, the process is invisible to users because the update is automatically applied, then staged in a different directory or folder than the current copy of the browser. The next time Firefox is launched, the staged directory swaps places with the active directory.

Mozilla has worked on silent updating, and chased Chrome's similar feature, for over two years.

The addition Mozilla touted, however, was a continuation of more than a year's work on reducing the browser's memory footprint, particularly in plugging "leaks" created when code doesn't properly release memory after a chore is completed. The leaked memory is never returned to the available pool, reducing what's available for other applications, or even for Firefox at a later point. Eventually, performance suffers.

Complaints about Firefox's memory usage have historically centered on the browser's habit of not releasing memory when tabs are closed.

In June 2011, Mozilla kicked off "MemShrink," an effort to plug those leaks. With Firefox's own problems addressed -- in a blog post today, Asa Dotzler, director of Firefox, said Mozilla has "fixed the larger Firefox issues" -- the company turned attention to third-party add-ons.