Print this article | E-mail this article | Comment on this article

The reason for the last Firefox 2 release: multiple security fixes

By Scott M. Fulton, III, BetaNews

July 3, 2008, 11:46 AM

If the manufacturer of a product acknowledges a series of potentially hazardous defects before anyone else can be hurt by them, and the solution is already available, perhaps the word "responsibility" applies in a good way.

Download Firefox 2.0.0.15 for Windows from FileForum now.

In a clever and, in retrospect, appropriate handling of what might otherwise have been categorized as a security mess, Mozilla released a new build of Firefox 2 on Tuesday, just prior to its acknowledgment of no fewer than twelve security vulnerabilities affecting prior versions, discovered by twelve separate sources. As it turns out, version 2.0.0.15 contains the fix for those problems.

With two solutions to these problems already in wide deployment -- the second being Firefox 3 -- and with a dozen or more private engineering teams dedicated to finding vulnerabilities before someone else does, the possible pervasiveness of any "zero-day" exploits inspired by the vulnerabilities' disclosure, as reported by Secunia yesterday, is clearly reduced.

It's also clear that the balance of innovation is shifting to the good guys. One of the twelve exploits, for instance, concerns how Firefox was implementing a protective wrapper that kept scripts from being capable of running arbitrary code. An engineer with the handle moz_bug_r_a4 discovered that this protective wrapper was only being applied to Firefox's own scripts, and not to scripts that are either employed by third-party add-ons or to dynamically generated scripts, pieced together in memory by means of other scripts.

"Firefox itself does not use this feature in a vulnerable way and users who have not installed any Add-ons are not at risk," the organization acknowledged on Tuesday. "We have, however, identified popular Add-ons using this feature whose users are at risk and there are no doubt others."

In another addressed vulnerability, also rated "Critical," a team of five researchers apparently went to work exploring all the classic cases of memory corruption that occur when Firefox 2 crashed -- and it did that quite often. (Seems so long ago already.) Could security holes on account of memory corruption be exploited, maybe if the user restarts Firefox 2 without rebooting the computer first?

Though that question wasn't completely answered, the evidence was apparently pointing in a bad direction. "We presume that with enough effort at least some of these could be exploited to run arbitrary code," the organization said.

Add a Comment (14 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By sturgess

posted Jul 3, 2008 - 12:57 PM

Don't mock but reports of IE8 beta 2 due out in August boast of some pretty impressive new security. So before you give it a "one" download and try it for a while. Write a well thought out comprehensive review for the viewers. Mull it over in your mind, weigh up the pros and cons against Foxy and only then give it a "one".

Score: 0

By mjm01010101

posted Jul 4, 2008 - 12:07 AM

I don't play with Microsoft Alphas. They want to pay me: fine, but otherwise, why bother supporting a for-profit company without getting something in return?

Score: 0

By zezinho

edited Jul 4, 2008 - 12:52 PM

And the other suppliers of Web browsers are what? Charities?

Score: 0

By mjm01010101

posted Jul 4, 2008 - 5:02 PM

Mozilla is a non-profit company that allows its code to be used elsewhere. So you are actually supporting more than that singular company when you "invest" in that browser. We now have iceweasel, etc as a result. :)

Score: 0

By zezinho

posted Jul 4, 2008 - 10:30 PM

If I believe Wikipedia, the Mozilla Foundation is non-profit but in 2005 the Mozilla Corporation was created to "handle the revenue-related operations of the Mozilla Foundation".

It seems that the majority of the revenues of the foundation comes from a deal with Google.

Don't make me wrong, I don't think it's a bad thing. I believe that the programmers should be paid for their work. I just don't think that Firefox would be where it is today if it had been financed by donations only.

Personally I think Microsoft has IE and Google has Firefox. And Google is a for profit organization.

Score: 0

By Tarun.

posted Jul 3, 2008 - 12:33 PM

2.0.0.16 is coming too.

Score: 0

By sturgess

posted Jul 3, 2008 - 12:23 PM

You all thought you were safe, and now it appears you were wrong. Trouble is we're running out of browsers , anyone using an obscure one the bad guys ain't heard of yet, please !?! Not Opera, it's obscure enough but of late not up to much.

Score: 0

By PC_Tool

posted Jul 3, 2008 - 1:25 PM

How about avoiding those porn and warez sites for starters. Skipping the myspace domain would be another good idea.

;)

No software protects against stupid. Browser, OS, or otherwise.

Score: 0

By tscar13

posted Jul 5, 2008 - 4:39 PM

Great comment. You nailed the problem.

Score: 0

By sturgess

posted Jul 3, 2008 - 2:17 PM

Recent reports show the porn sites are the safest out there. Reason, they make money by charging you good folk for your daily fix and the last thing they want is to upset you.