Mozilla Fixes 24 Bugs In Firefox, Majority Marked Critical

Mozilla updates its Firefox browser to patch a mega-batch of 24 vulnerabilities, the bulk of them tagged "critical."

April 15, 2006

3 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Mozilla Corp. late Thursday updated its Firefox browser to patch a mega-batch of 24 vulnerabilities, the bulk of them tagged "critical."

Just days after rival Microsoft fixed 10 bugs in its Internet Explorer, Mozilla unveiled Firefox 1.5.0.2, which included 7 patches, 5 of them critical. It also unveiled 11 new patches for the older Firefox 1.5, 15 for the even older Firefox 1.0x line in an update numbered 1.0.8, and 19 in the Sea Monkey browser suite, the replacement for the now-defunct Mozilla suite. (Note: Tallies exceed the total of 18 patches because some were applied to more than one version.)

Danish vulnerability tracker Secunia tagged the overall updates -- to Firefox 1.5.0.2 and 1.08, and Sea Monkey 1.0.1 -- as "Highly critical," its second-from-the-top ranking. That ranking was the same as Secunia awarded Tuesday's 10-bug patch for IE.

Among the bugs reported in Firefox are several which could be exploited by attackers simply by duping users into visiting malicious Web sites. Many are in one way or another associated with JavaScript.

Mozilla also said it had fixed a slew of bugs that could crash the browser, some of which could conceivably be used by attackers to hijack computers. The for-profit arm of the Mozilla Foundation, however, wasn't clear on the details."Some of these crashes showed evidence of memory corruption that we presume could be exploited to run arbitrary code," one of the 18 security advisories read.

Bugs come from flaws in the browsers' parsing of HTML -- one sequence of HTML tags can crash the application and leave it open to attack -- and its implementation of CSS (Cascading Style Sheets), which can lead to a buffer overflow and then a complete computer compromise.

Of the 18 advisories that included the 24 fixes, 11 are marked "critical" by Mozilla, 4 as "high," 2 "moderate," and 1 "low." Exploiting them could, said Secunia, result in denial-of-service (DoS) attacks, browser spoofing, cross-site scripting, unintentional disclosure of confidential information.

Many of the bugs in Firefox also affect the Mountain View, Calif. company's Thunderbird e-mail client. Thunderbird, however, has not yet been updated to match the 1.5.0.2 browser, leaving Mozilla to advise users disable JavaScript in the e-mailer until a patched edition is available.

It made a pitch to users of older editions of Firefox to move up to the 1.5 family."We strongly recommend that all users upgrade to this latest release," said Mozilla of Firefox 1.5.0.2. Although it also offered a new edition of the Firefox 1.0.x line -- Firefox 1.0.8 -- it pushed those users to upgrade to the 1.5 family.

"Mozilla is also strongly recommending that Firefox 1.0 users upgrade to this latest release of Firefox 1.5 in order to take advantage of significant security and stability improvements," it said. "Firefox 1.5 includes an automated update mechanism that ensures users are always up to date with the very latest updates."

Mozilla releases Firefox security updates irregularly -- the last time was February -- but in a separate announcement, it said it planned to move to an every-six-to-eight-week schedule. However, it didn't specify a date, as does Microsoft with its every-second-Tuesday-of-the-month patch day.

Also included in Thursdays updates was Mozilla's first Mac Firefox that runs natively on Intel-basediMac, Mac mini, and MacBook Pro computers. Mac owners can now download either a version in so-called "universal binaries," meaning the program runs on both PowerPC- and Intel-powered hardware, or in a PowerPC-only edition.

Previously, Firefox ran slower on Intel Macs because the code had to run through the Mac OS X PowerPC emulator, dubbed "Rosetta."The updated editions of Firefox can be downloaded from the Mozilla Web site, although users running 1.5.x will receive automatic notices over the next several days.

Read more about:

2006
SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights