Mozilla patches 'critical' Firefox memory corruption crashes

Mozilla patches 'critical' Firefox memory corruption crashes

Summary: Mozilla has released a new version of its flagship Firefox browser with fixes for five security vulnerabilities, one carrying a "critical" rating.

SHARE:
TOPICS: Browser
40

Mozilla has released a new version of its flagship Firefox browser with fixes for five six security vulnerabilities, one carrying a "critical" rating.

Download FirefoxThe most serious issue addressed in today's Firefox 2.0.0.4 update pertains to browser crashes with evidence of memory corruption. This fix (MFSA 2007-12) rolls up several bug fixes that, under certain conditions, could presumably lead to code execution attacks.

The update also fixes a high-risk cross-site scripting flaw, an XUL pop-up spoofing bug, a vulnerability that could allow path abuse in cookies, a hole in APOP authentication and a persistent auto-complete denial-of-service flaw.

So far this year, Mozilla has issued shipped fixes for 17 Firefox security issues.

As expected, Mozilla also shipped the final Firefox 1.5 version with patches for the flaws discussed above. This version of Firefox 1.5 includes an auto-update mechanism to migrate users to the more secure/stable Firefox 2 versions.

Firefox 1.5.0.12 is available for download here but all users are encouraged to upgrade to Firefox 2.

Over the coming weeks, Mozilla will be presenting 1.5.0.12 users with a notification message that will offer users a "major update" to Firefox 2. Upon confirmation, a user’s browser will be upgraded from 1.5.0.12 to 2.0.0.4, according to a post on the Mozilla Developer blog.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

40 comments
Log in or register to join the discussion
  • Huh?

    I haven't had any browser crashes in ages. WTF? ]:)
    Linux User 147560
    • Me neither

      Rock solid on XP, Vista, and SuSE.
      NonZealot
      • I have

        On XP. Seems to happen when the PC is left on for a few days, which makes me think it's memory related.
        ejhonda
        • I've never had it happen

          I've left my browser up and the PC running for weeks. Mind you that is on a PC I don't use very often and that's why it's left with the browser up and turned on. It's just the old PC and access files off it. Never had problem with FireFox crashing ever. I've had IE crash more on me than FireFox. Not sure if it's the web page or all the stupid tool bars my wife installs.
          voska
          • I really think . . .

            That it's something to do with XP Home edition, since I have problems with it on my desktop. I have had some problems on my personal Laptop (MCE), but not to the extent of My Desktop. ON my Work Laptop (XP Pro), not a single problem . . .

            On PCLinuxOS 2007, FF will occasionally just quit on it's own, but I think that's due to me running it off the Live CD . . .
            JLHenry
          • Once and for all ...

            ... could we kill the myth that XP Home, XP Pro and XP MCE are separate OS's. All of these varieties of XP are built on the same kernel and are > 95% the same code. XP Home is XP Pro without ADS support, limited multi-processor support and the number of concurrent connections limited to 5. XP MCE is XP Home with the Media Center application bolted on. There is no logical reason for Firefox to act differently on any XP sku. The parts of the OS that effect it are identical.

            The problem described is a Firefox problem. That is why it is a Firefox patch. You don't have to look any further then that!
            ShadeTree
          • Excellent point - for the most part.

            [b]All of these varieties of XP are built on the same kernel and are > 95% the same code. XP Home is XP Pro without ADS support, limited multi-processor support and the number of concurrent connections limited to 5. XP MCE is XP Home with the Media Center application bolted on.[/b]

            Right on the money - except, isn't MCE supposed to be more like XP Pro with the media center stuff slapped on?

            The only other consideration I can think of why any app would behave differently on various flavors of XP - age and corruption. Maybe one box got hit with spyware or viruses that left some registry crud behind after it was removed. The same can be said of many AV apps - Norton is one of the WORST offenders.

            At any rate, as you said, it IS a Firefox issue.
            Wolfie2K3
          • True, I took a short cut.

            Mecia Center was built on XP Pro but the did make the same changes in the 2005 edition that made it more like Home, (limited concurrent connections and disabled ADS support).
            ShadeTree
        • How many people do that?

          How many people leave a PC on for that amount of time however? Whenever I am done using my PC, I put it into sleep mode or totally shut it down if I am not going to be using it for awhile.

          I'm glad they fix the memory error however, they have a history of being a route to attackers into your system.
          Leria
          • My systems

            laptops excluded, all run 24/7/365. Of course I have them set up to run Seti @ home so when I am not using the systems the cycles are used for something else. But I am impatient, when I come to my PC I want to turn the monitor on and go. ]:)
            Linux User 147560
          • I don't believe they are questioning leaving the ....

            ... PC on. They are questioning leaving the PC on with the browser open. Further more if you ran an OS that had proper power management your PC would go to sleep or hibernate giving you that CE device power on experience without the wasted electricity and subsequent green house gas damage to the planet.
            ShadeTree
      • I have too

        But that's because I use those 32-bit plugins for 64-bit browsers, which are kind of unstable. I just set Firefox to open with the last opened tabs, so it's really no big deal. Now if Adobe would just get around to giving us some 64-bit Flash players (in both Linux and Windows) this problem would go away.
        Michael Kelly
        • Second the motion !

          And if, in addition to [b]Adobe[/b] providing a genuine 64-bit [b]Flash Player[/b], [b]Google[/b] could provide (64-bit) Picasa that didn't have to run off a [b]Wine[/b] emulator, and [b]Creative Labs[/b] (64-bit) [b]Linux[/b] drivers for [b]Sound Blaster X-Fi[/b], think how happy all we [b]Ubuntu[/b] users would be - and [b]Feisty[/b] as a Fawn[/b] !...

          Henri
          mhenriday
        • Only if you apply this new patch ....

          ... would the problem go away. They didn't write this patch for a non-existant problem.
          ShadeTree
    • It must not be a problem if you haven't seen it!

      I wonder why the Firefox people patched it? Didn't you tell them it wasn't an issue?
      ShadeTree
      • So are you trying

        to start something? I was not aware there was a problem as to the fact I have not seen it on at least 20 differnt machines that I own, work with or maintain. That is both Linux and Windows boxes. ]:)
        Linux User 147560
        • How is that relevant?

          It obviously existed or they wouldn't have patched it. It was kind of a duhhh statement don't you think? :)
          ShadeTree
    • I've got You Beat!

      I've not had a browser crash in (ages + 1).
      <br>
      xuniL_z
    • I've had several crashes

      I've been using some very heavy web apps for work and school. Firefox 2 has been crashing on me several times, when 1.0 and 1.5 did not. I'm hopeful this update will eliminate problems I've seen.

      Still, I'd never go back to IE.
      Spats30
  • Thanks for the heads up, Ryan

    I just downloaded the new version from the Mozilla site, since the Ubuntu-packaged Firefox doesn't check for browser updates(but within a few days Ubuntu should provide a package update).
    Tony Agudo