Yet another Firefox security update
The Mozilla folks have released another security update this week, though I noticed that there's a lot less media chatter about these security fixes than the last round. Perhaps there's something to this eWeek article that notes that a lot of updates were rolled out Tuesday (Firefox was one) in the same timeframe of Microsoft's "patch Tuesday."
The 1.0.5 release fixes 12 vulnerabilities, two of them considered "critical" and four of "high" severity. The biggies are a vulnerability that could allow execution of code with enhanced privileges and a vulnerability that could allow execution of arbitrary code.
For those that are keeping track, Firefox has had five security updates this year so far: 1.0.1 was released Februrary 24, 1.0.2 released on March 23, 1.0.3 was released on April 14, and 1.0.4 was pushed out on May 12 -- a little earlier than the Moz folks planned, due to a premature disclosure of Firefox security issues by a third party.
Speaking of dates, one thing that strikes me as odd about Mozilla's security advisories -- there's no date given on any of their advisory pages. Check around on any other vendor's site, the dates of security releases and advisories are clearly noted -- even Microsoft provides publication dates for their advisories. When tracking security problems, it's handy to know when vulnerabilities are discovered, when the vendor publishes an advisory, and when the vendor publishes the actual patch or update. It would be nice to see a little more detail here.
Despite the number of vulnerabilities, it's worth noting that (at least as far as I know) there are no exploits for these issues in the wild. If you look at most of the vulnerabilities, many are more theoretical than practicably exploitable -- however, that doesn't mean that they shouldn't be taken seriously and patches as soon as they are found.
One thing that would be nice is better coordination between Mozilla and the vendors and projects that repackage Firefox code. Firefox 1.0.5 was released on Tuesday, and a quick check of the major Linux vendors (Debian, Red Hat, SUSE, Ubuntu) showed that most don't have a patched version of Firefox out yet. Only the Gentoo folks have an advisory out that I've seen as of this writing (Friday afternoon). Whether this is practical or not, I'm not sure.
I still feel confident that Firefox is as secure as a browser can be, given the number of "moving parts" (so to speak) that a modern browser has. However, the number of security fixes over the last year is somewhat sobering. As Dana mentions the speed and distribution of updates is almost as important today as the security of the code itself -- mainly because it doesn't look like anyone is delivering code that's vulnerability-free, whether that's the open source community or the proprietary vendors.
[Update: Monday, July 18] Looks like Firefox will be issuing another update very soon due to problems with the security fixes interacting with Firefox extensions. This isn't a security problem, but API changes that may have broken a number of Firefox extensions. More info at Mozillazine.