Firefox 3.6.4 adds crash protection, fixes vulnerabilities - Update
Following several delays, Mozilla has released version 3.6.4 of its open source Firefox web browser, the latest security and stability update to the 3.6.x branch of Firefox. Firefox 3.6.4 closes more than 225 bugs found in the previous update, addresses a number of critical security vulnerabilities and includes new crash protection technology from the Mozilla Lorentz Project.
Lorentz is designed to bring full process isolation to Firefox, separating web pages and plug-ins from the main browser by running them in their own processes. When a web page or plug-in crashes, with process isolation, the rest of the browser is unaffected by the failure, resulting in a more reliable browser. Currently, crash protection only works for Adobe Flash, Apple QuickTime and Microsoft Silverlight on Windows and Linux systems. However, the developers note that support for other plug-ins and operating systems will be added in a future release.
The 3.6.4 update fixes a total of seven vulnerabilities, four of them rated as critical by Mozilla. Contrary to previous assumptions, a URL spoofing issue discovered by security expert Michal Zalewski has not been fixed with this update. The details of the spoofing problem have already been published and Mozilla has now confirmed that it will be addressed in the upcoming 3.6.6 release of Firefox (version 3.6.5 is being skipped). Safari reportedly also has a similar problem.
The Mozilla development team have also recently released Firefox 3.5.10, Thunderbird 3.0.5 and version 2.05 of the SeaMonkey "all-in-one internet application suite" to address the same security vulnerabilities. Mozilla advises all users to upgrade to the latest release as soon as possible.
More details about the release can be found in a post on the Mozilla Blog by Firefox development director Mike Beltzner and in the release notes. Firefox 3.6.4 is available to download for Windows, Mac OS X and Linux. Alternatively, Firefox 3.6 users can upgrade to the new version, either by waiting for the automated update notification or by manually selecting "Check for updates" from the Help Menu.
Firefox binaries are released under the Mozilla Firefox End-User Software License Agreement and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.
Update: Apparently Robert Hansen (aka RSnake) had already discovered the vulnerability described by Zalewski in December of 2009 and posted a practical demo and description on the ha.ckers.org web site. The demo conceals the origin of a Firefox add-on (plug-in) download. While the original Firefox add-on page opens in the browser, the demo tries to install another (harmless) add-on from ha.ckers.org.
- Flock 3 Beta drops Firefox, switches to Chromium, a report from The H.
- Mozilla releases Firefox 3.7 Alpha 5 developer preview, a report from The H.