Firefox update squashes security bugs

Summary:update: Mozilla fixes several security flaws in the open-source browser, some critical.

update The Mozilla Foundation has fixed several security flaws in its Firefox browser, but initially left people in the dark about what some of the issues entail.

Firefox 1.0.5, released Tuesday, patches a dozen bugs in the open-source Web browser, some of them "high risk," said Chris Hofmann, director of engineering at Mozilla. High-risk problems typically allow an intruder to commandeer a PC or expose the user's data.

"We have a collection of bug fixes that we have been working on for the last couple of weeks," Hofmann said Tuesday.

Two of the flaws that have been patched were reported in June by security-monitoring company Secunia, a Mozilla representative said.

Mozilla initially did not release details on the other vulnerabilities, even though the software revamp was available online around noon Tuesday.

Details on the bugs were published Tuesday night. Two of the 12 bugs are rated "critical" and another four are "high risk," according to Mozilla's security alerts. The bugs could allow an attacker to take over a victim's PC or expose sensitive user data, according to the alerts.

The update also includes improvements to make Firefox more stable, Mozilla said in its online posting.

Some of the security holes in Firefox were reported by Mozilla community members, helped by the group's bug bounty program, which provides $500 and a Mozilla T-shirt for finders of critical flaws, Hofmann said.

Most of the flaws would require some user interaction for an attacker to be able to exploit them, Hofmann said. There are no known attacks that use any of the newly fixed problems, he said.

The vulnerabilities reported by Secunia are spoofing flaws, which could let an attacker place malicious content on trusted Web sites. One problem lies in the way the browser handles frames. The other exists because JavaScript dialog boxes do not display or include their origin.

Firefox 1.0.5 is the first update to the popular alternative browser since May 11, when Mozilla released version 1.0.4 to fix three bugs.

Later this week, Mozilla plans to release a new version of its Thunderbird e-mail client. Thunderbird shares some code with Firefox and thus is vulnerable to the same security bugs, Hofmann said. An update to the Mozilla Suite is also scheduled to appear soon.

An alert mechanism in Firefox is designed to let people know that an update is available. They will have to download the full new browser, which is about 4.8MB in size. The next version of Firefox, release 1.1 due in August or September, will have a more streamlined patching mechanism that will let people download just the fixes, Hofmann said.

Since the debut of Firefox 1.0 in November, its usage has grown at a rapid pace. Security has been a main selling point for Firefox over rival Microsoft's Internet Explorer, which has begun to see its market share dip slightly--for the first time in a number of years. Firefox U.S. usage share reached nearly 7 percent at the end of April, according to tracking company WebSideStory.

Topics: Browser, PCs, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.