Yet another Firefox security update

Summary:The Mozilla folks have released another security update this week, though I noticed that there's a lot less media chatter about these security fixes than the last round. Perhaps there's something to this eWeek article that notes that a lot of updates were rolled out Tuesday (Firefox was one) in the same timeframe of Microsoft's "patch Tuesday.

The Mozilla folks have released another security update this week, though I noticed that there's a lot less media chatter about these security fixes than the last round. Perhaps there's something to this eWeek article that notes that a lot of updates were rolled out Tuesday (Firefox was one) in the same timeframe of Microsoft's "patch Tuesday."

The 1.0.5 release fixes 12 vulnerabilities, two of them considered "critical" and four of "high" severity. The biggies are a vulnerability that could allow execution of code with enhanced privileges and a vulnerability that could allow execution of arbitrary code.

For those that are keeping track, Firefox has had five security updates this year so far: 1.0.1 was released Februrary 24, 1.0.2 released on March 23, 1.0.3 was released on April 14, and 1.0.4 was pushed out on May 12 -- a little earlier than the Moz folks planned, due to a premature disclosure of Firefox security issues by a third party. 

Speaking of dates, one thing that strikes me as odd about Mozilla's security advisories -- there's no date given on any of their advisory pages. Check around on any other vendor's site, the dates of security releases and advisories are clearly noted -- even Microsoft provides publication dates for their advisories. When tracking security problems, it's handy to know when vulnerabilities are discovered, when the vendor publishes an advisory, and when the vendor publishes the actual patch or update. It would be nice to see a little more detail here.

Despite the number of vulnerabilities, it's worth noting that (at least as far as I know) there are no exploits for these issues in the wild. If you look at most of the vulnerabilities, many are more theoretical than practicably exploitable -- however, that doesn't mean that they shouldn't be taken seriously and patches as soon as they are found.

One thing that would be nice is better coordination between Mozilla and the vendors and projects that repackage Firefox code. Firefox 1.0.5 was released on Tuesday, and a quick check of the major Linux vendors (Debian, Red Hat, SUSE, Ubuntu) showed that most don't have a patched version of Firefox out yet. Only the Gentoo folks have an advisory out that I've seen as of this writing (Friday afternoon). Whether this is practical or not, I'm not sure.

I still feel confident that Firefox is as secure as a browser can be, given the number of "moving parts" (so to speak) that a modern browser has. However, the number of security fixes over the last year is somewhat sobering. As Dana mentions the speed and distribution of updates is almost as important today as the security of the code itself -- mainly because it doesn't look like anyone is delivering code that's vulnerability-free, whether that's the open source community or the proprietary vendors.

[Update: Monday, July 18] Looks like Firefox will be issuing another update very soon due to problems with the security fixes interacting with Firefox extensions. This isn't a security problem, but API changes that may have broken a number of Firefox extensions. More info at Mozillazine.

Topics: Security

About

Joe 'Zonker' Brockmeier is the community manager for openSUSE, a community Linux distro sponsored by Novell. Prior to joining Novell, Brockmeier worked as a technology journalist primarily covering the Linux and FOSS beat, and wrote for a number of publications, such as Linux Magazine, Linux.com, Sys Admin, UnixReview.com, IBM developer... Full Bio

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.