Mozilla fixes 16 flaws with Firefox 3.5.4
Mozilla today patched 16 vulnerabilities in Firefox, 11 of them critical, as it updated the open-source browser to version 3.5.4.
The 11 critical Firefox 3.5 vulnerabilities were located in a variety of components, including Web worker calls, the GIF color map parser, the string-to-number converter, a trio of third-party media libraries, and both the JavaScript and browser engines.
"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in some of the advisories outlining the most serious flaws.
Firefox 3.0, which was first released in the summer of 2008 and will be retired from security support in January 2010, was also updated today with the release of version 3.0.15. The older browser received nine patches, four marked critical.
The disparity between the two versions' patch counts was due to several that affected only the newer Firefox 3.5, including the three critical bugs outlined in MFSA-2009-63 that required upgrades of the "liboggz," "libvorbis," and "liboggplay" open-source media libraries.
Three of the four vulnerabilities spelled out in MFSA-2009-64 generate browser crashes, while the last affects the TraceMonkey JavaScript engine that debuted in Firefox 3.5. Mozilla recommended users disable JavaScript in Firefox if they were unable or unwilling to patch the browser. Only one of the four engine crashes impacts Firefox 3.0.
Mozilla rated three of the 16 vulnerabilities as "moderate," the second-from-the-bottom ranking in its four-step system, and two as "low," its least serious rating.
Tuesday's updates came just a day before Mozilla is slated to release the first beta of Firefox 3.6, a minor update currently set to ship before the end of the year. At one point, Mozilla was hoping to unveil Firefox 3.6 Beta on Oct. 13, but several bugs delayed the preview.
Firefox 3.6 will be the first of two so-called "minor" upgrades that Mozilla intends to produce between now and the middle of 2010. Last month, Mozilla switched to a quicker-paced development cycle to bring new features or under-the-hood improvements to users faster, and to stay competitive in the again-aggressive browser market.
Mozilla is still hammering out how it will offer users Firefox 3.6 when it ships in final form. Some, including Firefox director Mike Beltzner, lean toward a security update-like mechanism, while others have argued for something more explicit, akin to the "major upgrade" invitations that Mozilla presents users of older editions from time to time.
"As proposed earlier in the summer, Firefox 3.6 will be primarily a release with security, stability, speed and capability enhancements, with no visible user interface changes over Firefox 3.5," Beltzner wrote in an Oct. 15 message to the "mozilla.dev.planning" forum. "As such, I think we should consider it as a candidate for a minor update, stretching our definition of what types of updates we can provide using that mechanism."
Web measurement company Net Applications says Firefox accounted for nearly 24%
Firefox 3.5.4 and 3.0.15 will be available for Windows, Mac OS X and Linux directly from the Mozilla site when they're posted in the next few hours.
Current Firefox users, however, will be able to call up the browsers' update tools, or wait for automatic update notifications to appear in the next 48 hours.
Computerworld
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
firefox patches
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.













