How Firefox is Keeping Mozilla Busy: Firefox 3.5.1, Firefox 3.0.12, One Billion Downloads
The Mozilla Foundation has released a new version of its web browser, mainly Firefox version 3.5.1. The update is meant to address a critical vulnerability affecting the Just-in-Time Javascript compiler in Firefox 3.5 that if exploited by a person with malicious intent, could allow that person to execute code in the targeted machine. The only thing the user has to do to get owned is visit a malicious web page that contains the exploit code.
The Mozilla Foundation provided a workaround for the issue – if you enabled it, you should disable it after you update your Firefox 3.5 browser. Details on how to apply and remove the workaround are available here.
Getting back to Firefox 3.5.1, here is what Firefox Director Mike Beltzner had to comment: “As part of the Mozilla Corporation’s ongoing security and stability process, Firefox 3.5.1 is now available for Windows, Mac, and Linux users as a free download [here]. We strongly recommend that all Firefox 3.5 users upgrade to this latest release. If you already have Firefox 3.5, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu. For a list of changes and more information, please see the Firefox 3.5.1 release notes.”
No sooner had Mozilla addressed one security vulnerability with Firefox 3.5.1, that details on yet another vulnerability have surfaced. This new vulnerability refers to the way in which Firefox handles very long Unicode strings; the bad news is that this will result in Firefox crashing, the good news is that Mozilla says this vulnerability is not exploitable.
"On Windows, Firefox 3.0.x and Firefox 3.5.x are terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code. On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X. As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox,” explained VP of Engineering with Mozilla, Mike Shaver.
The older version of the Firefox version, Firefox 3.0 is also keeping the Mozilla Foundation busy. According to Mozilla QA team member Carsten Book, a security update for the browser is forthcoming (Firefox 3.0.12), but until work on it is complete, a release candidate build of Firefox 3.0.12 has been made available for download for testing purposes.
“We now have a build available for the upcoming. Firefox 3.0.12 security and stability release. Note that this build is a release candidate and is intended for pre-release testing. We would like your help in testing the release and identifying any possible regressions or issues before final ship. If you are riding the "beta" channel, you can manually check for updates and update to this build. Otherwise you will have to download from [here],” said Brook.
All this talk about downloading Firefox updates reminded me that the Mozilla Foundation is getting ready for a celebration – the billionth Firefox download. And to celebrate Mozilla wants you, the Firefox user, to send in a photo.
“We want to show everyone how global and diverse our community has become. So we're asking for photos of you, our community members, to display on our Billion Downloads campaign page. We'll be launching the campaign site soon, but we want to have lots of photos ready for the launch. There are tons of wonderful things about Mozillians and the greater Web. Just like there are many great wonders of the world. That's why we're asking you to take photos of yourself at wonderful places near you,” explained Mozilla.
You can send your image to fxbillion[at]mozilla.com
You can get additional details on the campaign on the official web page here.
The Mozilla Foundation provided a workaround for the issue – if you enabled it, you should disable it after you update your Firefox 3.5 browser. Details on how to apply and remove the workaround are available here.
Getting back to Firefox 3.5.1, here is what Firefox Director Mike Beltzner had to comment: “As part of the Mozilla Corporation’s ongoing security and stability process, Firefox 3.5.1 is now available for Windows, Mac, and Linux users as a free download [here]. We strongly recommend that all Firefox 3.5 users upgrade to this latest release. If you already have Firefox 3.5, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu. For a list of changes and more information, please see the Firefox 3.5.1 release notes.”
No sooner had Mozilla addressed one security vulnerability with Firefox 3.5.1, that details on yet another vulnerability have surfaced. This new vulnerability refers to the way in which Firefox handles very long Unicode strings; the bad news is that this will result in Firefox crashing, the good news is that Mozilla says this vulnerability is not exploitable.
"On Windows, Firefox 3.0.x and Firefox 3.5.x are terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code. On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X. As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox,” explained VP of Engineering with Mozilla, Mike Shaver.
The older version of the Firefox version, Firefox 3.0 is also keeping the Mozilla Foundation busy. According to Mozilla QA team member Carsten Book, a security update for the browser is forthcoming (Firefox 3.0.12), but until work on it is complete, a release candidate build of Firefox 3.0.12 has been made available for download for testing purposes.
“We now have a build available for the upcoming. Firefox 3.0.12 security and stability release. Note that this build is a release candidate and is intended for pre-release testing. We would like your help in testing the release and identifying any possible regressions or issues before final ship. If you are riding the "beta" channel, you can manually check for updates and update to this build. Otherwise you will have to download from [here],” said Brook.
All this talk about downloading Firefox updates reminded me that the Mozilla Foundation is getting ready for a celebration – the billionth Firefox download. And to celebrate Mozilla wants you, the Firefox user, to send in a photo.
“We want to show everyone how global and diverse our community has become. So we're asking for photos of you, our community members, to display on our Billion Downloads campaign page. We'll be launching the campaign site soon, but we want to have lots of photos ready for the launch. There are tons of wonderful things about Mozillians and the greater Web. Just like there are many great wonders of the world. That's why we're asking you to take photos of yourself at wonderful places near you,” explained Mozilla.
You can send your image to fxbillion[at]mozilla.com
You can get additional details on the campaign on the official web page here.
