In association with heise online

17 July 2009, 12:10

Firefox security and start-up problems fixed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Mozilla has released Firefox 3.5.1 to fix the recently reported security vulnerability in the Just-in-Time (JIT) JavaScript compiler, an exploit for the Windows version of which is already doing the rounds. Attackers can exploit the vulnerability to inject and execute code on vulnerable systems. Since JIT is a new feature that only appeared in Firefox 3.5, prior versions do not contain the vulnerability. Users who had previously deactivated JIT as a work around can now safely re-activate it, after installing the update.

The Firefox development team has also fixed the slow launch bug in the Windows version. The cause of the problem was that, since some Windows systems lack the Windows CryptoAPI, the developers had chosen the alternative of initialising the Network Security Services random number generator with a seed number generated by reading files from the Internet Explorer cache folder and the Windows temporary file folder. Frequent use can leave both folders containing a large number of files, causing the process to take an inconvenient amount of time. According to the Bugzilla entry, the developers have now replaced the RtlGenRandom CryptoAPI call with CryptGenRandom, available on all systems.

Under Linux and Mac OS X, the NSS library opens the /dev/urandom pseudo-file so there is no significant delay in seeding the generator. Frans Bourna, who discovered the problem, has stated on Bugzilla, that he has the impression that many Firefox developers don't really give a lot of thought to the Windows version, as most of them are developing on Linux systems and are consequently unaware of potential problems with Windows.

More details about the release can be found in the release notes. Firefox 3.5.1 is available to download in over 70 different languages for Windows, Mac OS X and Linux. Firefox binaries are released under the Mozilla Firefox End-User Software License Agreement and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-742523
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit