RSSMozilla rushes Firefox 3.5.1 to address serious vulnerability
By Scott M. Fulton, III | Published July 16, 2009, 1:51 PM
After yesterday's discovery of a serious security hole left open by Mozilla Firefox's new TraceMonkey JavaScript engine, the organization chose not to wait until next week -- as had been its plan on Tuesday -- to open up availability of its version 3.5.1 bug fix. Instead, the completed build showed up on Mozilla's FTP servers late Thursday morning, although access to that build through HTTP had been sporadic throughout the early afternoon.
Mozilla's intention was to use 3.5.1 as a vehicle for tweaks to TraceMonkey that did not make the final cut when it came time for the organization to finally release version 3.5. Betanews tests to earlier private builds of 3.5.1 showed that some of those tweaks did appear to produce slight speed gains over and above 3.5. What we don't know at the moment is whether all those tweaks actually did make it to the 3.5.1 version that's being made available today. Since the "Shiretoko" developers track will now effectively be shifted to 3.5.2, evidence of which code got the final tweaks may only be determined through testing.
The organization is also going ahead, as planned, with beta tests of a security build for the older Firefox 3 series, to be called 3.0.12. Today's release comes as Opera unveils its public Beta 2 for version 10 of its Web browser, and Google continues fast and furious with another Dev Channel update to Chrome 3, this time as a bug fix for crashes occurring in its V8 JavaScript engine.
Firefox not being available in 64-bit is not a big deal and seriously give the guys at Mozilla a break. Firefox takes a while to compile and build and they already are building it for 75 languages for 3 different OS's totaling in 225 different complication and builds. Making it available in 64-bit would multiply that number by 2 (450 different builds) and its not worth it because most people would use the 32 bit version anyway because flash wouldn't work with it. So if having Firefox in 64-bit is so important to you download the source code and compile it in 64-bit yourself.
Score: 0
|Well, it's out now and not only fixes the security vulnerability but a few other things, as well. Hopefully, 3.5.2 will clean up things further so that it will be more stable.
Score: 1
|* "After yesterday's discovery of a serious security hole left open by Mozilla Firefox's new TraceMonkey JavaScript engine..."
This was not discovered yesterday. It was filed in Bugzilla a week ago on July 9, there was a minimal testcase (showing exactly what caused this) within the day, and the first patch appeared on Monday, July 13. In fact, yesterday, the bug was already closed as "Fixed."
* "...evidence of which code got the final tweaks may only be determined through testing."
Or, you know, you could look at Bugzilla (or the source code or version-control logs) to find out. They aren't secretive about it. :)
* "Instead, the completed build showed up on Mozilla's FTP servers late Thursday morning, although access to that build through HTTP had been sporadic throughout the early afternoon."
It's NOT completed; Mozilla itself says (when you try to navigate to 3.5.1 using the HTTP interface): "Firefox 3.5.1 is coming soon! Thanks for your interest in the upcoming release of Firefox 3.5.1, but there's still a bit more left to do before we're ready. We're asking for our users and fans to be patient and wait until it appears on the official Firefox website before downloading."
So, we can expect it soon--but it's not necessarily finished yet. (There may be final QA testing to ensure no regressions, for example.)
I really don't know where BetaNews gets random information like this and presents it as fact.
Score: 1
|This site is heavily "funded" by Microsoft so this really should not be a surprise.
Score: -4
|Source?
Citation?
Nope.
More BS from the fathead...
Score: -4
|gee Fatty you are 1 away from the magical kingdom of poof and he's gone. should I or shouldn't I ..naw..I'll leave that honor to someone else.
On the article. No matter what Os or browser ,when I hear the word "rush" and vulnerability in the same sentence,I think of what new vulnerability will will lurk behind curtain #3
Score: -5
|Impressive turnaround time, though the workaround, disabling Tracemonkey, was pretty mild compared to those for other application vulnerabilities. Still, better the devil one knows than those completely unknown:
http://www.blueridgenetw...-2009-protect-antivirus
I'm referring to the attacks on unknown vulnerabilities that should concern us most. Every month there's news for an exploit and/or patch for a popular application. Translation: before that month, every installation of that application was vulnerable to a very serious attack threat.
Score: 0
|The workaround wasn't even disabling tracemonkey, it was disabling JIT in TraceMonkey, which might simply make some JS execute a bit slower sometimes.
Score: 0
|...which, of course, is the JIT component of SpiderMonkey. My bad. :) I thought it was a bit more, but it looks like that's all TraceMonkey is at the moment.
Score: 0
|