RealTime IT News

Mozilla Updates Firefox 3.5 for Security, Startup

Mozilla's Firefox 3.5.1 browser is now out with fixes for one critical zero-day vulnerability that first became public earlier this week.

The zero-day flaw is a vulnerability in Firefox 3.5's Just-in-Time (JIT) JavaScript compiler. Mozilla's security advisory describes the vulnerability as "an exploitable memory corruption problem."

Security researcher Simon Berry-Byrne publicly posted proof-of-concept exploit code for the flaw on Tuesday, potentially enabling an attacker to execute arbitrary code. Mozilla began testing a patch for the flaw the same day with its nightly builds.

The update is the first security update for Firefox 3.5 which was released at the end of June.

Security isn't the only issue addressed by the update. Mozilla is also tackling a sluggish startup issue for Windows users in Firefox 3.5.1. On the Mozilla bugzilla system, the bug is officially described as "very slow startup for Firefox 3.5 due to accessing IE Internet Temporary Files and Windows Temp folder." According to the bugzilla report, the startup time for Firefox 3.5 was found to be slower than it should have been, and Firefox 3.5.1 has now been patched to resolve the issue.

All together, the Firefox 3.5.1 release patched 22 bugs, 7 of which were tagged by developers as being critical.

Among those critical bugs are a number of non-security-related crash conditions. One of them is a crash was triggered by way of certain types of search requests made by the main browser interface.

Firefox 3.5.1 does not, however, address every issue that researchers have had issues with in Firefox 3.5.

One issue that was alleged by security researcher "^3described4^3r" is that Firefox 3.5 leaks DNS information. The researcher's claim is that Firefox 3.5 incorrectly handles DNS information that shouldn't be exposed when a user is using a proxy .

At this point, Mozilla doesn't see a security issue with Firefox 3.5's DNS handling.

"When a user manually configures a proxy and flips the remote_dns pref to route DNS requests through the proxy, we'll do just that -- no local DNS lookups," Mozilla's Johnathan Nightingale told InternetNews.com. "In fact, our users can turn off dns prefetch altogether with a boolean pref called 'network.dns.disablePrefetch,' though we hope few do, since DNS pre-fetch improves the responsiveness of normal Web browsing."

While the zero-day JavaScript flaw is the big news in the Firefox 3.5.1 update, Mozilla had planned for the update prior to the public disclosure of the security issue. Within days of the final Firefox 3.5 release, Mozilla had stated that a Firefox 3.5.1 release would be issued in mid- to late July to fix a number of crash issues and bugs.