In keeping with the rapid release schedule, Mozilla released Firefox 6 today.
As expected when a version update is released, you may find that many of your favorite add-ons are not compatible with the new release. Use Add-on Compatibility Reporter to test and report on your favorite add-ons in version 6.
What's New
- The address bar now highlights the domain of the website you're visiting
- Streamlined the look of the site identity block
- Added support for the latest draft version of WebSockets with a prefixed API
- Added support for EventSource / server-sent events
- Added support for window.matchMedia
- Added Scratchpad, an interactive JavaScript prototyping environment
- Added a new Web Developer menu item and moved development-related items into it
- Improved usability of the Web Console
- Improved the discoverability of Firefox Sync
- Reduced browser startup time when using Panorama
- Fixed several stability issues
- Fixed several security issues
Fixed in Firefox 6
MFSA 2011-29 includes eight (8) critical and two (2) high security updates.Miscellaneous memory safety hazards (rv:4.0)
Impact: CriticalUnsigned scripts can call script inside signed JAR
Description: Mozilla identified and fixed several memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
JavaScript crashCrash in the Ogg reader which affected Firefox 4 and Firefox 5.Memory safety issues which affected Firefox 4 and Firefox 5.
Impact: Critical
Description: Unsigned JavaScript could call into script inside a signed JAR thereby inheriting the identity of the site that signed the JAR as well as any permissions that a user had granted the signed JAR.
This is a distinct issue from MFSA 2008-23 and did not affect Firefox 3.6.
References:
String crash using WebGL shaders
Impact: CriticalHeap overflow in ANGLE library
Description: An overly long shader program could cause a buffer overrun and crash in a string class used to store the shader source code.
References:
Impact: CriticalCrash in SVGTextElement.getCharNumAtPosition()
Description: Potentially exploitable heap overflow in the ANGLE library used by Mozilla's WebGL implementation.
References:
Impact: CriticalCredential leakage using Content Security Policy reports
Description: A SVG text manipulation routine contained a dangling pointer vulnerability.
References:
Impact: HighCross-origin data theft using canvas and Windows D2D
Description: Content Security Policy violation reports failed to strip out proxy authorization credentials from the list of request headers. Redirecting to a website with Content Security Policy resulted in the incorrect resolution of hosts in the constructed policy.
References:
Impact: High
Description: When using Windows D2D hardware acceleration, image data from one domain could be inserted into a canvas and read by a different domain.
References:
The upgrade to Firefox 6 will be offered through the browser update mechanism. However, as the upgrade includes critical security updates, it is recommended that the update be applied as soon as possible. To get the update now, select Help, About Firefox, Check for Updates.
References
- Common questions after updating Firefox
- Mozilla Firefox Release Notes
- Mozilla Foundation Security Advisory 2011-29
No comments:
Post a Comment