Mozilla Updates Firefox for Security, Ends 3.0.x Branch

Mozilla is out this week with Firefox 3.5.9 and 3.0.19 updates, fixing multiple security vulnerabilities in the open source Web browser’s two branches, while announcing that the older of the two branches is being phased out.

As part of the update, Mozilla also issued new advisories on problems that also impact Firefox 3.6.2 browser, which it released last week, in addition to the 3.5.x and 3.0.x browsers.

With the 3.0.19 update, Mozilla is pledging to end the 3.0.x branch, which first debuted in June 2008.

“This is the last planned security and stability release for Firefox 3.0,” said Christian Legnitto, Mozilla’s new release driver for security and stability releases. Legnitto joined Mozilla earlier this month after a previous stint working at Apple, where he worked on stability and security releases for Mac OS X.

Among the fixes in the Firefox 3.5.9 and 3.0.19 updates are five that Mozilla identifies as being “critical,” four of which it also fixed in Firefox 3.6. At the time of the Firefox 3.6.2 release, Mozilla only issued one advisory for an issue that had affected only that particular browser.

For all three browsers, the updates include a fix for crashes with evidence of memory corruption, a commonly fixed item in Firefox releases.

Also being addressed in two of the branch updates is a remote code execution issue, whereby XUL item memory is still being used even after it is freed by the browser. The XUL tree item issue does not affect the Firefox 3.6 browser.

“Security researcher ‘regenrecht’ reported via TippingPoint’s Zero Day Initiative that a select event handler for XUL tree items could be called after the tree item was deleted,” Mozilla stated in its advisory. “This results in the execution of previously freed memory which an attacker could use to crash a victim’s browser and run arbitrary code on the victim’s computer.”

There are also fixes for a pair of dangling pointer vulnerabilities, which occur when a pointer is left alive when it was supposed to be closed by the browser. The flaws could potentially have enabled an attacker to execute arbitrary code.

Lastly, Mozilla is providing a fix for a privilege escalation issue in the browser.

“Security researcher Paul Stone reported that a browser applet could be used to turn a simple mouse click into a drag-and-drop action, potentially resulting in the unintended loading of resources in a user’s browser,” Mozilla stated in its advisory. “This behavior could be used twice in succession to first load a privileged chrome: URL in a victim’s browser, then load a malicious JavaScript: URL on top of the same document, resulting in arbitrary script execution with chrome privileges.”

Locking down new Web browser threats

Mozilla is now also working on a number of other security fixes including one that potentially exists in every major browser currently shipping. All major browsers include a CSS mechanism that shows a different color for a visited link, and which could potentially lead to users history information being stolen. An upcoming version of Firefox will provide a fix for the issue.

“We have to be realistic, though: there are many ways all browsers leak information about you, and fixing CSS history sniffing will not block all of these leaks” Mozilla wrote in a blog post. “But we believe it’s important to stop the scariest, most effective history attacks any way we can since it will be a big win for users’ privacy.”

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020