Firefox 3.6.2 Released Ahead of Schedule, Fixes Critical Security Vulnerability

Article by George Norman (Cybersecurity Editor)

on 23 Mar 2010

Firefox 3.6.2 was scheduled to be released at the end on the month, on the 30th of March. The development team at Mozilla did not stick to that timetable and released Firefox 3.6.2 ahead of schedule. If you’re already using Firefox 3.6, you should get an automated update prompt; alternatively you can update manually by clicking Help -> Check for Updates.

“Mozilla has accelerated its timetable and released Firefox 3.6.2 ahead of schedule. We urge users to promptly update to this release,” said the Mozilla Security team.

From a security point of view, you are very well advised to update to Firefox 3.6.2. This latest version of the Mozilla-developed browser comes with a fix for the critical vulnerability uncovered by Russian security expert with Intevydis, Evgeny Legerov. He uncovered a buffer overflow that affects Firefox 3.6 (just Firefox 3.6, not earlier versions) that if exploited by a person with malicious intent could allow that person to remotely take control of the targeted machine.

Even though Evgeny Legerov announced the vulnerability late this February, it was just recently that he responded to Mozilla’s questions about the vulnerability. Because Evgeny Legerov simply announced the vulnerability without providing Mozilla with a proof-of-concept or steps to reproduce the vulnerability, Mozilla could not confirm if the vulnerability is genuine.

Now that Firefox 3.6.2 is out, the vulnerability in question is plugged. And Mozilla has provided a few details about it. Here is how MFSA 2010-08 describes the vulnerability:

“The WOFF decoder contains an integer overflow in a font decompression routine. This flaw could result in too small a memory buffer being allocated to store a downloadable font. An attacker could use this vulnerability to crash a victim's browser and execute arbitrary code on his/her system.”

If you would like to download Firefox 3.6.2, the software is available free of charge to Windows, Mac OS X and Linux users
here.



Latest News


Sony's 'Attack of the Blockbusters Sale' Slashes Prices in Half for a Ton of PS4 Games

17 Aug 2017

How Samsung's New T5 Compares to the Old T3 Portable SSD (Infographic)

17 Aug 2017

See all