Tuesday, June 21, 2011

Mozilla Firefox 5 Includes Critical Security Updates

While many are celebrating the Summer Solstice, Mozilla developers are celebrating the rapid release of Firefox 5.

Although the latest version reportedly includes more than 1,000 improvements and performance enhancements, the update from version 4 to version 5 feels more like a security update than a new version.

As indicated at Security Advisories for Firefox, the vulnerabilities listed below were Fixed in Firefox 5.  This includes the WebGL graphics memory stealing issue addressed in at Mozilla Security Blog.

Fixed in Firefox 5

MFSA 2011-28 Non-whitelisted site can trigger xpinstall
MFSA 2011-27 XSS encoding hazard with inline SVG
MFSA 2011-26 Multiple WebGL crashes
MFSA 2011-25 Stealing of cross-domain images using WebGL textures
MFSA 2011-22 Integer overflow and arbitrary code execution in Array.reduceRight()
MFSA 2011-21 Memory corruption due to multipart/x-mixed-replace images
MFSA 2011-20 Use-after-free vulnerability when viewing XUL document with script disabled
MFSA 2011-19 Miscellaneous memory safety hazards (rv:3.0/ 

The upgrade to Firefox 5 will be offered to users with Firefox 4 through the browser update mechanism.  However, as the upgrade includes critical security updates, it is recommended that the update be applied as soon as possible.  To get the update now, select Help > About Firefox > Check for Updates.


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Aaron Hulett - MSFT said...

One other important item is the end of life (EOL) for Firefox 4. Those running 4 will no longer receive security updates - they need to move to 5.

More at ComputerWorld: http://www.computerworld.com/s/article/9217837/Mozilla_retires_Firefox_4_from_security_support

Corrine said...

Also, although this is about Enterprise use of Firefox, based on Asa's remarks, we can expect the same version upgrade with the next accelerated releases. From the comments starting at http://mike.kaply.com/2011/06/23/understanding-the-corporate-impact/#comment-10493:

Quote: "Firefox 6 will be the EOL of Firefox 5. And Firefox 7 will be the EOL for Firefox 6."

BTW, in case you missed it, the "Do not track" option is opt-in. It is located on the Privacy tab in Options.