Yet another Firefox security update

Yet another Firefox security update

Summary: The Mozilla folks have released another security update this week, though I noticed that there's a lot less media chatter about these security fixes than the last round. Perhaps there's something to this eWeek article that notes that a lot of updates were rolled out Tuesday (Firefox was one) in the same timeframe of Microsoft's "patch Tuesday.

TOPICS: Security

The Mozilla folks have released another security update this week, though I noticed that there's a lot less media chatter about these security fixes than the last round. Perhaps there's something to this eWeek article that notes that a lot of updates were rolled out Tuesday (Firefox was one) in the same timeframe of Microsoft's "patch Tuesday."

The 1.0.5 release fixes 12 vulnerabilities, two of them considered "critical" and four of "high" severity. The biggies are a vulnerability that could allow execution of code with enhanced privileges and a vulnerability that could allow execution of arbitrary code.

For those that are keeping track, Firefox has had five security updates this year so far: 1.0.1 was released Februrary 24, 1.0.2 released on March 23, 1.0.3 was released on April 14, and 1.0.4 was pushed out on May 12 -- a little earlier than the Moz folks planned, due to a premature disclosure of Firefox security issues by a third party. 

Speaking of dates, one thing that strikes me as odd about Mozilla's security advisories -- there's no date given on any of their advisory pages. Check around on any other vendor's site, the dates of security releases and advisories are clearly noted -- even Microsoft provides publication dates for their advisories. When tracking security problems, it's handy to know when vulnerabilities are discovered, when the vendor publishes an advisory, and when the vendor publishes the actual patch or update. It would be nice to see a little more detail here.

Despite the number of vulnerabilities, it's worth noting that (at least as far as I know) there are no exploits for these issues in the wild. If you look at most of the vulnerabilities, many are more theoretical than practicably exploitable -- however, that doesn't mean that they shouldn't be taken seriously and patches as soon as they are found.

One thing that would be nice is better coordination between Mozilla and the vendors and projects that repackage Firefox code. Firefox 1.0.5 was released on Tuesday, and a quick check of the major Linux vendors (Debian, Red Hat, SUSE, Ubuntu) showed that most don't have a patched version of Firefox out yet. Only the Gentoo folks have an advisory out that I've seen as of this writing (Friday afternoon). Whether this is practical or not, I'm not sure.

I still feel confident that Firefox is as secure as a browser can be, given the number of "moving parts" (so to speak) that a modern browser has. However, the number of security fixes over the last year is somewhat sobering. As Dana mentions the speed and distribution of updates is almost as important today as the security of the code itself -- mainly because it doesn't look like anyone is delivering code that's vulnerability-free, whether that's the open source community or the proprietary vendors.

[Update: Monday, July 18] Looks like Firefox will be issuing another update very soon due to problems with the security fixes interacting with Firefox extensions. This isn't a security problem, but API changes that may have broken a number of Firefox extensions. More info at Mozillazine.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What if Firefox had 90% market share in light of these vulnerabilities

    You note that there were 5 sets of patches for Firefox this year. This last one has a dozen vulnerabilities. What if Firefox was the dominant browser at 90% market share? Do you honestly think that these vulnerabilities would still be vulnerable? Or is it more likely that there would be a large incentive to convert these theories in to practice.

    So far, the only security that Firefox seems to bring is obscurity.
    • Correction

      "Do you honestly think that these vulnerabilities would still be vulnerable"

      should have been

      Do you honestly think that these vulnerabilities would still be "theoretical".
    • Yes, I do

      Actually, I do think many of the vulnerabilities for Firefox would largely be theoretical - even though IE has the dominant market share, there are many IE vulnerabilities that have not been exploited or widely exploited.

      Some vulnerabilities are easier to exploit than others, and most exploits have been against known issues -- meaning that most of the exploits are written after someone else has done the heavy lifting of finding the vulnerabilities.
      • What I meant was

        I understand that not all vulnerabilities go from theory to practice, but do you think there would be more Firefox vulnerabilities converted to practice if Firefox market share was that of IE in the 90% range? Currently, there is little incentive to build a Firefox exploit given the low number of users. There is also less "developer experience" in constructing Firefox exploits.
    • what if firefox

      removed the uninstall like IE has
    • What if

      we were NOT talking about a version 1? Honestly, how long does it take to move to a version 2?
      Roger Ramjet
    • Shhh! Quit pointing that out!

      C'mon George, you're raining on Firefox's parade! You shouldn't be pointing out that the security advantage that people like to trumpet is actually much less than is claimed. It pretty much ruins the feel-good mood.
  • That's too bad

    Firefox has a lot of people behind it. It's a really great browser too. I'm sure their getting pounded with calls and e-mails. I hope things turn around, bad press is a killer!

    I use Opera 8.01 myself for the most part but it has a few problems too.
  • What really matters

    What I notice a lot is when someone is trying to convince others that something is better, or worse than the alternative, is that take individual instances, or out of context numbers with no base for comparision to the alternative, an say that is why its better or worse.
    I've seen this alot lately with anti-Firefox people. They will point out the high frequency of patches from Mozilla, and say "See Firefox isn't more secure than IE". And of course give no comparision to the amount of patches released for Internet Explorer.
    What really matters is the amount vulnerabilities, how severe they are, and how quickly they are patched. Secuna says Internet Explorer has 83 advisories, 20 unpatched, and rates it at highly critical. Firefox has 21 advisories, 3 unpatched, and is rated at less critical. In other words even with the recent issues, Firefox is still far more secure.
    You may say that more vulnerabilities are found for Internet Explorer because it has a bigger marketshare, but most holes are found by white hats. Their job is to find holes in all different software, and would be looking at Firefox just as hard as Internet Explorer, if not harder since it's considered more secure. It also helps that they can look through the source for vulnerabilities.
    Even if that logic was valid, it still doesn't explain why one fourth of the Internet Explorer vulnerabilities remain unpatched, (with two rated highly critical, both over a year old).
    As soon as a vulnability is on a site like Secuna, the hackers know about it. There is no reason Microsoft can't create patches for vulnerabilities as soon as they're published (they are, after all, a multibillion dollar corperation with 50,000 employees). But they don't, even though they know that a fault in their software is fault in nearly 90% of the world's PCs. To me it's just unacceptable that a hacker can right a write an exploit faster than Microsoft can write patch.
    • Very nice!

      I did some research too and found that I'm really glad I use Opera. Secunia is great! Nice graphs too! Fire fox has a 14% unpatched and 10% partial patch over all. Unpatched are less critical.

      Sorry.. lol I just repeated what you said. But I too would agree the Fire fox is "less" critical and far more secure than IE.

      World start also has some good tips on Fire fox.
      Explains the issues with cross scripting.

      Thanks for the info! emcee
    • Try comparing 2005 against 2005 stats

      You compared multiple years of IE against less than one year of Firefox. That's hardly a fair comparison. Secunia hasn't updated this last batch of 12 vulnerabilities yet. Even so, here is the 2005 breakdown.

      IE = 9
      Firefox = 17

      Keep in mind that all of the unpatched vulnerabilities were rated low for either platform.
      • Re: Try comparing 2005 against 2005 stats

        [i]You compared multiple years of IE against less than one year of Firefox. [/i]

        Then one could draw the conclusion that IE has unpatched vulns after multiple years?

        none none
      • IE is almost 4 years old now.

        Microsoft has not significantly updated IE in several years. Firefox/Mozilla is an evolving application that has many new and somewhat untested capabilities and is compliant with more publicly available standards and specifications (HTML, XHTML, ECMA-262, ECMA-290, etc.). So effectively, you are argueing that 4 year old code with it's counless vulnerabilities, broken interfaces and other issues is better than a relatively new package that is compliant with more published standards and specifications from many standards bodies.

        In 2005, IE has not evolved much (still same stale codebase) and Firefox has gone through multiple patchlevels (major dot minor dot patchlevel format). If youare going to hold to this arguement, are you also advocating staying with NT4 even though Windows is at 5.1 (windows 2003)?
      • 2005

        5 of the 9 vulnerabilties for 2005 remain unpatched for Internet Explorer, compare that to 1 out of the 17 Firefox holes. This also means that 15 of the listed unpatched vulnerabilities in Internet Explorer are over 6 months old.
        What really matters anyway is that when using the latest fully patched version of Internet Explorer, you are vulnerable to 20 unpatched issues ranging from "not critical" to "highly critical", compared to 3 "less critical" issues with Firefox. Firefox is far more secure.
        • Those stats don't include this latest 12 vulnerabilities

          I agree that IE should fix those problems. But it should be stated that all of the unpatched problems are not severe problems.

          But it is also true that Firefox has a much higher rate of vulnerabilities even if you don't include this last batch of 12.
          • Rate of vulnerabities

            Of course Firefox has a higher rate of vulnerabilities, there hasn't been a new version of Internet Explorer in nearly four years. By comparision, Firefox didn't even exist four years ago.
            But even the last 12 were patched as soon as they became public.
      • servers don't need IE or firefox

        only one is forced to be there and patched almost once a month if you use it or not
        • IE on 2003 is in max security mode by default

          If you're on a locked down server and you never use IE to surf the web, you technically don't have to patch it. If you have to reboot once a month to cover the windows updates in general, then that's not too bad. It can be scheduled to go down in the middle of the night and staggered if it is a clustered implementation.
          • yeah right

            just tell your boss, yeah, it's missing critical patches, but that is ok

            would it really hurt ms to put the uninstall BACK in there - talk about abuse of a monopoly
          • It's a common practice

            If your server is locked down by a hardware DMZ firewall and it has a host-based firewall on that only permits inbound port 80 and some RDP from specific hosts and you lock down all outbound access from that server, it's perfectly acceptable to leave IE unpatched.

            This is a perfectly accepted practice.