Mozilla patches 10 bugs in older Firefox

Calls it quits on Firefox 3.0 with final security update

Mozilla yesterday patched 10 vulnerabilities in its older browsers, marking the end of security support for 2008's Firefox 3.0.

Eight of the 10 flaws disclosed today also apply to Firefox 3.6, but were actually patched last week as part of the update to 3.6.2. At the time, Mozilla revealed only 10 of the vulnerabilities addressed in the newer browser; it withheld information on the others until yesterday, when it released updates for Firefox 3.0.19 and 3.5.9.

Mozilla accelerated the delivery of Firefox 3.6.2 -- it typically updates all versions of its browser simultaneously -- to patch a vulnerability announced by Russian Evgeny Legerov, who had published exploit code in his VulnDisco add-on for Immunity Security's Canvas penetration testing kit.

The pressure for Mozilla to act mounted March 19 as the German government's computer security agency told users to abandon Firefox until a fix is available for Legerov's bug. Buerger-CERT, part of the Federal Office for Security in Information Technology, which is known by its German initials of BSI, retracted that recommendation after Mozilla released Firefox 3.6.2.

Of the 10 new bugs listed yesterday on Mozilla's security advisory page, nine affected Firefox 3.5, while six affected Firefox 3.0.

More than half of the fixed flaws -- six of the 10 -- were rated "critical" by Mozilla, the highest threat ranking in its four-step scoring system. One was tagged as "high," while the remaining three were marked "low." According to Mozilla, the critical vulnerabilities could be used by attackers to run malicious code on a compromised machine -- infecting it with malware or hijacking it to add to their botnet collections.

One of the patches pegged as low, MSFA 2010-22 , needs some manual massaging from users, Mozilla warned. The fix, designed to prevent a type of man-in-the-middle attack, requires users to enter Firefox's preferences and change a setting for it to go into effect. To do so, users should type "about:config" (without the quotation marks) in the address bar, press Enter, search for the "security.ssl.require_safe_negotiation" item, then click on "false" at the right to reset it to "true."

Half of the critical vulnerabilities patched today were reported to Mozilla by 3Com TippingPoint's Zero Day Initiative bug bounty program.

TippingPoint was in the news last week for its Pwn2Own hacking contest , during which it handed out $45,000 in cash to five researchers who exploited Apple 's iPhone, and fully-patched machines running Microsoft 's Internet Explorer 8 (IE8), Apple's Safari and Mozilla's Firefox browsers.

Mozilla has yet to patch the Firefox vulnerability that was used by a German researcher to earn $10,000 for hacking the browser on a PC running 64-bit Windows 7 .

As expected, yesterday's security update for Firefox 3.0 was that version's final patch. "This is the last planned security and stability release for Firefox 3.0," said Christian Legnitto, who oversees the release of Firefox security updates. Firefox 3.0 debuted in mid-June 2008, but has been superseded by both Firefox 3.5 last summer and Firefox 3.6 in January 2010.

Legnitto, formerly of Apple, encouraged users to upgrade to Firefox 3.6 by downloading the new edition or by selecting "Check for Updates..." from their older browser's Help menu.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Knowledge Center.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon