Mozilla releases Firefox 3.6.8 to close critical vulnerability
Just a couple of days after the arrival of Firefox 3.6.7, the Mozilla development team has released version 3.6.8 of its popular open source web browser to close a single, critical rated, vulnerability. According to the developers, a previous fix in 3.6.7, aimed at addressing a plug-in parameter array crash, can itself cause a crash that could lead to memory corruption. The developers say that, "In certain circumstances, properties in the plug-in instance's parameter array could be freed prematurely leaving a dangling pointer that the plug-in could execute, potentially calling into attacker-controlled memory."
Further information about the vulnerability (CVE-2010-2755) have yet to be detailed in the change log, which currently shows "Zarro Boogs found". All users are advised to upgraded as soon as possible.
A number of Firefox users are reporting that the built-in update service used by Firefox is still initially being flagged by Symantec's Norton Anti-Virus and Norton Internet Security 2010. The same problem occurred shortly after the release of Firefox 3.6.7 but took care of itself after a sufficient number of Norton users downloaded the browser and marked the file as trustworthy. Following the 3.6.6 update, Norton generates a false positive indicating that some of the applications files are infected with malware, resulting in various files being quarantined after the Firefox update was installed.
More details about the release can be found in the release notes. Firefox 3.6.8 is available to download for Windows, Mac OS X and Linux. Alternatively, Firefox 3.6 users can upgrade to the new version, either by waiting for the automated update notification or by manually selecting "Check for updates" from the Help Menu.
Firefox binaries are released under the and the source code is released under disjunctive tri-licensing that includes the Mozilla Public Licence, GPLv2 and LGPLv2.1.
- Dangling pointer crash regression from plugin parameter array fix, security advisory from Mozilla.
- Firefox 3.6.8 now available for download, a Mozilla Developer Center announcement.
- Norton produces false alarm after Firefox update, a report from The H.