Mozilla Beefs Up Security in Firefox 2.0

Mozilla released the first security reinforcements for Firefox 2.0, the latest version of its popular Web browser, providing users of the open source softwarewith fixes for five critical and three minor security holes.

Security has emerged as one of the most important aspects ofbrowser software from Mozilla, Microsoft,Opera and others, as attackersincreasingly take advantage of browser vulnerabilities to hook into the computers of unsuspecting Web surfers.

This week’s patches address flaws that are indirectly related to security, Burton Group Vice President Craig Roth told LinuxInsider.

“They’re security, but they’re bug fixes to things that may affectsecurity issues,” he said, referring to social engineering attacks thataim to trick users rather than fooling the software.

Growth and Bugs

The security advantages of Firefox have helped it gain on Microsoft’s Internet Explorer like no other competitor in years. However, even though it has been growing rapidly, it is still much smaller in market share and appeal to attackers than IE.

Microsoft dominates with more than 80 percent share. However, Firefoxhas passed the 12 percent mark and is now pushing toward 15 percent. The remainder is owned by Opera, Apple’s Safari and other browsers.

Mozilla released Firefox 2.0 last October as Microsoft rolled itsmajor browser upgrade to market with IE7. Both browsers focus onsecurity, and both have suffered from bugs, flaws and security holesthat come with all software, including a password theft vulnerabilitydisclosed earlier this month.

Critical Fixes

In this week’s security update, Mozilla addressed five vulnerabilitiesdeemed “critical,” two considered “high” impact, and one minor issue.

The critical issues include an SVG Processing Remote Code Execution,a LiveConnect crash finalizing JavaScript objects, and privilegeescalation using watch point, Mozilla said.

Security firm Secunia issued an advisory on the Firefoxvulnerabilities and a recommendation that users update to Firefox 1.5.0.9or 2.0.0.1.

Social Security

Roth downplayed the significance of the Firefox security fixes,indicating Mozilla was not featuring the update prominently, nor was iturging users to download it.

The biggest security advantage of Firefox is itsmuch smaller user base compared to Explorer, Roth said, suggesting that the latestupdates are less important than how Mozilla deals with continuing andimproving social engineering attacks, particularly phishing.

“It’s an ongoing issue — one that’s more important to track thanthings like this,” he said.