Mozilla Issues Firefox Fix

Mozilla on Tuesday released the latest version of its popular Firefox open-source Web browser and its e-mail client. The release marks the second time in eight days the company has issued fixes.

Firefox 1.0.6 is a stability update that restores API compatibility for extensions and Web applications that did not work in Firefox 1.0.5. Firefox 1.0.5 is the security update released last week that addressed several bugs and made improvements to the software’s stability, according to Mozilla.

In all, the Firefox 1.0.5 addressed 12 vulnerabilities, including Javascript origin spoofing, content-generated event vulnerabilities, and a possible exploitable crash in InstallVersion.compareTo().

Security Focus

Some of those bugs were “high risk” and could allow a malicious code writer to overtake a PC or expose a user’s data. The Mozilla community’s bug bounty program helped uncover some of the security holes. The bug finders each received US$500 and a Mozilla T-shirt.

Firefox is not alone. Other popular Web browsers, including Microsoft’s Internet Explorer and Apple’s Safari, also have a list of fixed flaws to their credit. Michael Sutton, director of iDefense Labs, the company’s vulnerability research arm, told LinuxInsider there are several reasons why we see so many browser flaws.

“Certainly there is always a race to beat the competition,” Sutton said. “Browser makers want to get the product out the door and, historically, security has not been as important in the quality assurance cycle as it should have been.”

However, Sutton said because end users are placing a greater emphasis on the value of security, vendors are now being forced to make it a priority.

Critical Apps

Analysts say that browsers have become critical inroads into corporate technology infrastructure, and therefore, browser security flaws are far riskier than applications that sit on the desktop.

“Browsers are not just browsers anymore. They have all kinds of functionality. The idea is to increase that functionality all the time,” Sutton said. “Look at what Internet Explorer does today versus what it did five years ago. Any time you add increased functionality there is a greater likelihood that you are going to introduce vulnerabilities into theproduct.”

Mozilla plans to release Firefox 1.1 in August or September. That version will allow users to download the fixes through an integrated system update that issues small-sized upgrade files. Firefox 1.1 also includes a feature that caches previously visited pages in the memory to allow faster displays when users click back and forward navigation buttons.

E-Mail Improvements

Also this week, Mozilla released Thunderbird 1.0.6, a stability update that restores API compatibility of extensions that did not work in Thunderbird 1.0.5. Thunderbird 1.0.5 shipped out in early July to fix several security flaws, including XHTML node spoofing, possible exploitable crashes and missing install object instance checks.

Thunderbird 1.0.6 is fixing extensions that 1.0.5 unintentionally broke, according to the MozillaZine blog. Specifically, Enigmail PGP, security software that enables e-mail encryption and other features, does not work in the 1.0.5 release.