Sunday, April 11, 2021

Firefox Security, Boot Time Upgraded

Mozilla’s Firefox 3.5.1 browser is now out with fixes for one critical zero-day vulnerability that first became public earlier this week.

The zero-day flaw is a vulnerability in Firefox 3.5’s Just-in-Time (JIT) JavaScript compiler. Mozilla’s security advisory describes the vulnerability as “an exploitable memory corruption problem.”

Security researcher Simon Berry-Byrne publicly posted proof-of-concept exploit code for the flaw on Tuesday, potentially enabling an attacker to execute arbitrary code. Mozilla began testing a patch for the flaw the same day with its nightly builds.

The update is the first security update for Firefox 3.5 which was released at the end of June.

Security isn’t the only issue addressed by the update. Mozilla is also tackling a sluggish startup issue for Windows users in Firefox 3.5.1. On the Mozilla bugzilla system, the bug is officially described as “very slow startup for Firefox 3.5 due to accessing IE Internet Temporary Files and Windows Temp folder.” According to the bugzilla report, the startup time for Firefox 3.5 was found to be slower than it should have been, and Firefox 3.5.1 has now been patched to resolve the issue.

All together, the Firefox 3.5.1 release patched 22 bugs, 7 of which were tagged by developers as being critical.

Among those critical bugs are a number of non-security-related crash conditions. One of them is a crash was triggered by way of certain types of search requests made by the main browser interface.

Firefox 3.5.1 does not, however, address every issue that researchers have had issues with in Firefox 3.5.

One issue that was alleged by security researcher “^3described4^3r” is that Firefox 3.5 leaks DNS (define) information. The researcher’s claim is that Firefox 3.5 incorrectly handles DNS information that shouldn’t be exposed when a user is using a proxy (define).

At this point, Mozilla doesn’t see a security issue with Firefox 3.5’s DNS handling.

“When a user manually configures a proxy and flips the remote_dns pref to route DNS requests through the proxy, we’ll do just that — no local DNS lookups,” Mozilla’s Johnathan Nightingale told InternetNews.com. “In fact, our users can turn off dns prefetch altogether with a boolean pref called ‘network.dns.disablePrefetch,’ though we hope few do, since DNS pre-fetch improves the responsiveness of normal Web browsing.”

While the zero-day JavaScript flaw is the big news in the Firefox 3.5.1 update, Mozilla had planned for the update prior to the public disclosure of the security issue. Within days of the final Firefox 3.5 release, Mozilla had stated that a Firefox 3.5.1 release would be issued in mid- to late July to fix a number of crash issues and bugs.

Article courtesy of InternetNews.com.

Similar articles

Latest Articles

The Conversational AI Revolution:...

One of the things I’m looking forward to seeing at next week’s NVIDIA GTC event is an update on their Conversational AI efforts. I’m fascinated...

Edge Computing

Edge computing is a broad term that refers to a highly distributed computing framework that moves compute and storage resources closer to the exact...

Data-Driven Decision Making: Top...

The phrase data-driven decision making – certainly popular in the field of data analytics – may seem redundant. After all, nearly everything is driven...

Top Performing Artificial Intelligence...

As artificial intelligence has become a growing force in business, today’s top AI companies are leaders in this emerging technology. Often leveraging cloud computing and...