Mozilla patches 10 bugs in older Firefox

Calls it quits on Firefox 3.0 with final security update

Mozilla Corp. yesterday patched 10 vulnerabilities in its older browsers, marking the end of security support for 2008's Firefox 3.0.

Eight of the 10 flaws also apply to Firefox 3.6 but were actually patched last week as part of the update to Version 3.6.2. At the time, Mozilla revealed only 10 of the vulnerabilities addressed in the newer browser; it withheld information on the others until yesterday, when it released updates for Firefox 3.0.19 and 3.5.9.

Mozilla accelerated the delivery of Firefox 3.6.2 -- it typically updates all versions of its browser simultaneously -- to patch a vulnerability announced by Russian Evgeny Legerov, who had published exploit code in his VulnDisco add-on for Immunity Security's Canvas penetration testing kit.

The pressure for Mozilla to act mounted March 19 as the German government's computer security agency told users to abandon Firefox until a fix is available for Legerov's bug. Buerger-CERT, part of Germany's Federal Office for Security in Information Technology, which is known by its German initials, BSI, retracted that recommendation after Mozilla released Firefox 3.6.2.

Of the 10 new bugs listed yesterday on Mozilla's security advisory page, nine affected Firefox 3.5, while six affected Firefox 3.0.

More than half of the fixed flaws -- six of the 10 -- were rated "critical" by Mozilla, the highest ranking in its four-step threat scoring system. One was tagged as "high," while the remaining three were marked "low." According to Mozilla, the critical vulnerabilities could be used by attackers to run malicious code on a compromised machine -- in order to, say, infect it with malware or hijack it for use in a botnet.

One of the patches pegged as low, MSFA 2010-22, needs some manual massaging from users, Mozilla warned. The fix, designed to prevent a type of man-in-the-middle attack, requires users to enter Firefox's preferences and change a setting. To do that, users should type "about:config" (without the quotation marks) in the address bar, press Enter, search for the "security.ssl.require_safe_negotiation" item, and then click on "false" at the right and reset it to "true."

Half of the critical vulnerabilities patched today were reported to Mozilla by 3Com TippingPoint's Zero Day Initiative bug bounty program.

TippingPoint was in the news last week for its Pwn2Own hacking contest, during which it handed out $45,000 in cash to five researchers who exploited Apple's iPhone and fully-patched machines running Microsoft's Internet Explorer 8, Apple's Safari and Mozilla's Firefox browsers.

Mozilla has yet to patch the Firefox vulnerability that was used by a German researcher to earn $10,000 for hacking the browser on a PC running 64-bit Windows 7.

As expected, yesterday's security update for Firefox 3.0 was that version's final patch. "This is the last planned security and stability release for Firefox 3.0," said Christian Legnitto, who oversees the release of Firefox security updates. Firefox 3.0 debuted in June 2008 and was superseded by both Firefox 3.5 last summer and Firefox 3.6 in January 2010.

Legnitto, who once worked at Apple, encouraged users to upgrade to Firefox 3.6 by downloading the new edition or by selecting "Check for Updates" from the Help menu in older versions of the browser.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Copyright © 2010 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon