Mozilla patches Firefox and Thunderbird
The first update to Firefox 4.0, version 4.0.1, addresses a total of three vulnerabilities, two of which are rated as critical. The browser's WebGLES feature contains bugs that could lead to crashes, potentially resulting in the execution of malicious code. The Windows version of Firefox was also found to have been compiled without ASLR which could allow an attacker to bypass ASLR's protection against malicious code if a memory corruption flaw was found. Several critical memory safety bugs have in the browser engine used by Firefox have also been corrected. These bugs reportedly contained evidence of memory corruption under certain circumstances. The developers presume that, with enough effort, some of them could be exploited to run arbitrary code.
Updates have also been issued for the 3.5.x and 3.6.x branches of Firefox. These updates, versions 3.5.19 and 3.6.17, address the same memory safety bugs noted above, as well as five other vulnerabilities. The legacy branches of Firefox contain two further critical holes, a privilege escalation problem in the Java Embedding Plugin (JEP) which shipped with Mac OS X versions, and multiple dangling pointer vulnerabilities. Two moderate risk bugs and one low risk bug have also been corrected. The developers note that version 3.5.19 of Firefox will be the last planned security and stability update for the 3.5 branch and encourage all users to upgrade to the 4.0.x branch of Firefox.
Mozilla has also released an update for Thunderbird, version 3.1.10. According to the release notes, the update includes several performance, stability and security fixes. However, at the time of this posting, the Thunderbird 3.1.10 security advisories have yet to be posted. As Thunderbird 3.1.x is based on the same Gecko browser engine as Firefox 3.6.x, it can be assumed that the update addresses most, if not all of the vulnerabilities fixed in Firefox 3.6.17.
Further details about the updates, including links to the full change logs, can be found in the Firefox 4.0.1, 3.6.17 and 3.5.19, and Thunderbird 3.1.10 release notes. Firefox 3.6.17 and 4.0.1, and Thunderbird 3.1.10 are available to download for Windows, Mac OS X and Linux. Alternatively, users can upgrade to the new versions, either by waiting for the automated update notification or by manually selecting "Check for updates" from the Help Menu. Mozilla encourages users to upgrade to the latest releases as soon as possible.
Firefox and Thunderbird binaries are released under the Mozilla Firefox End-User Software License Agreement and the Mozilla Thunderbird End-User Software License Agreement, and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.
- Firefox 4 surpasses 100 million downloads, a report from The H.
- Firefox 5 coming 21 June?, a report from The H.
- What's new in Firefox 4.0, a feature from The H.