Mozilla Squashes a Dozen New Bugs
It's been six months since Mozilla's Firefox 3 leapt onto the scene. In that time, the browser required a tuneup only three times — until Wednesday, when patches for a swath of vulnerabilities upped the count to four.
Firefox 3.0.4 repairs eleven flaws in the browser, while the accompanying update to the Firefox 2 line cures twelve. Among the issues classified as critical corrected in both browsers are: XSS/Javascript privilege escalation, buffer overflows in the http-index-format parser, crashes with memory corruption, and crashes with remote code execution in nsFrameManager. Lower-rated issues fixed in 3.0.4 included parsing errors, a bug where chrome's enhanced privileges were passed to file: URIs opened from chrome, a glitch allowing local shortcut files to be used to steal information, a security bypass in the -moz-binding property, and others.
Several of the same vulnerabilities were also corrected in Firefox 2.0.18, as well as a Flash bug allowing execution of arbitrary code, a crash with execution of remote code via __proto__ tampering, and image stealing via canvas and HTTP redirects. Firefox 2.0.18 is the second-to-last release of Firefox 2 — Mozilla will retire the browser in mid-December with the final 2.0.19 update.
Non-security updates to the browser included official releases for two new languages — Icelandic and Thai — as well as beta releases for an additional six languages. The Public Suffix List — the browser's internal list of top-level domains — was updated, additional EV root certificates were enabled, bugs affecting the saving of passwords and non-HTTP proxy settings were squashed, and an annoying issue where the "Add Bookmark" panel covered the IME input tool used for entering characters from several languages was also fixed.
A number of known issues, as well as system requirements, installation/uninstallation instructions, and other resources can be found in the official release notes for Firefox 3.0.4 (or those for Firefox 2.0.18). Downloads of Firefox 3.0.4 in fifty languages are available from Mozilla's download site; existing users can also use the built-in Check for Updates utility. (Firefox 2 users can pick up the 2.0.18 release from Mozilla's "All Older" page.) Most Linux distributions, if they haven't done so already, should be pushing the update out to users through their normal update mechanisms within the next few days.