Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser’s first-ever security update. The Firefox version number bumps up to 4.0.1.
The update fixes 50-odd bugs in total, amusingly including three fixes listed as specific to OS/2. Ironically, the latest official release of the OS/2 port of Firefox, dubbed Warpzilla, hasn’t yet reached version 4 – it’s still back at version 3.6.8.
The release notes for Firefox 4.0.1 are hard to find from the main Mozilla.com page. (Browsing to Firefox.com doesn’t help, as this just redirects to the Mozilla page.) But if you know where to look, you’ll find that two critical security advisories are fixed in the 4.0.1 release.
MFSA2011-12 deals with memory corruption bugs in the browser engine itself; Mozilla experts officially opined that “with enough effort at least some of these could be exploited to run arbitrary code”. MFSA2011-17 deals with “two crashes that could potentially be exploited to run malicious code” in a graphics library called WebGLES, used by Firefox.
Because the 4.0.1 update addresses vulnerabilities that are considered remotely exploitable, we advise you to apply this update without delay.
The previous version, Firefox 3.6, also gets an update, moving to 3.6.17. This update also squashes some critical bugs, including the MFSA2011-12 memory corruption vulnerability affecting Firefox 4.
Two other critical vulnerabilities which don’t affect version 4 are fixed.
MFSA2011-13 deals with various “dangling pointer” bugs (a dangling pointer is a programming mistake in which a memory reference remains in use after the memory it points to has been returned to the operating system for re-use). MFSA2011-15 deals with a privilege escalation bug in the Java Embedding Plugin.
The MFSA2011-15 vulnerability is specific to the Mac OS X version of Firefox. Apple users who imagine themselves invulnerable simply by virtue of their choice of operating system, please take note!
There’s an update to Mozilla’s Thunderbird email client as well. Thunderbird moves to version 3.1.10.
Somewhat confusingly, the Thunderbird release notes don’t list any critical vulnerabilities fixed in this version, but the MFSA2011-12 advisory specifically states that the bugs it covers are “fixed in Thunderbird 3.0.10″.
If you’re a Thunderbird user, we advise you, too, to update as soon as you can.
Related Posts
- Apple promises update to patch PDF exploit
Apple has already identified the iPhone security exploit used by the Web-based jailbreak procedure released earlier this week and, according to a statement the company provided to CNet, the company ha... - Mozilla Firefox 3.5.x Address Bar Spoofing Vulnerability
Vulnerable: Mozilla Firefox 3.5.xExploit:Reference:http://Securitylab.ir/AdvisoriesDisclaimer:The script showed above might cause something offensive, use at own risk.
View full post on Web Secur... - Mozilla Firefox Memory Corruption Vulnerability Fixed in 3.5.1
Mozilla recently announced a bug in Firefox 3.5's Just-In-Time (JIT) compiler in which an error in its escape() function could lead the browser into a corrupt state, thereby allowing attackers to run ... - Free anti-virus for Mac named Best Anti-Malware solution at SC Awards
Who would have thought it? A free anti-virus program for Apple Macs being named best anti-malware solution ahead of those security products for boring old Windows.Well, that's exactly what happened at... - PlayStation Network hacked: Personal data of up to 70 million people stolen
Users of Sony's PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.
The implications of the hack, which r... - PlayStation Network hacked: five days and counting..
The Sony PlayStation Network, used by millions of online videogame players around the world, has been offline since Wednesday 20th April.
You can still play games offline, but if you want to connect ... - Mozilla Firefox 4 just arrived: where is Electrolysis?
Yesterday the long awaited fourth version of Mozilla Firefox was publicly released and the Mozilla download counter already hit more than six millions of downloads in less than 24 hours. Mozilla Fire... - Malicious .RTF Files Exploit Microsoft Office Vulnerability
A stack-based buffer overflow vulnerability in Microsoft Office was recently discovered to have been actively exploited in the wild. Trend Micro now detects the exploit .RTF files as TROJ_ARTIEF.SM.
... - Exploit For Unpatched IE Vulnerability Released
Microsoft has issued an advisory for an unpatched vulnerability affecting all versions of Internet Explorer on all platforms. The vulnerability could allow a malicious web page to trigger a ... - Mozilla Issues Updates to Firefox, Other Apps
Mozilla has released new versions of Firefox, Thunderbird and SeaMonkey and described 13 vulnerabilities fixed in them. 11 of the vulnerabilities are described as Critical.
The new software...
