Mozilla Fixes Firefox Flaws as 3.5 Release Nears

June’s not even half over, and it’s already proven to be a busy month for Mozilla developers.

Within recent days, the team pushed out the first official Firefox 3.5 release candidate (RC 1) and updated its Jetpack technology for browser add-ons. At the same time, Mozilla is also working to stamp out a handful of vulnerabilities in Firefox’s current release with a new security update.

The new Firefox 3.0.11 release this week addresses nine different security vulnerabilities, four of which are rated by Mozilla as being critical.

As is common in Firefox security updates, one of the critical security advisories deals with what Mozilla refers to as, “crashes with evidence of memory corruption.” For Firefox 3.0.11, there are at least four different crash conditions that Mozilla is fixing to prevent potential memory corruption.

Another critical issue fixed in the new Firefox release deals with a JavaScript privilege-escalation issue.

“Using this vulnerability, an attacker could cause a chrome privileged object, such as the browser sidebar or the FeedWriter, to interact with Web content in such a way that attacker-controlled code may be executed with the object’s chrome privileges,” Mozilla’s advisory states.

Spoofing is also an issue for which browser vendors are on alert, and it’s a threat that gets a fix in the new Firefox release. According to Mozilla, invalid Unicode characters that might be part of an international domain name (IDN) could trigger a potential URL-spoofing issue.

According to Mozilla’s advisory, “an attacker could use this vulnerability to spoof the location bar and display a misleading URL for their malicious Web page.”

There is also a cookie issue that gets patched in the Firefox 3.0.11 release, which prevents an attacker from reading a user’s browser cookies without permission. The attack would have involved a user downloading a malicious file that could then read arbitrary cookies from the browser.

Meanwhile, SSL in Firefox gets a fix for a complicated issue whereby an encrypted connection could be intercepted by an attacker using a proxy.

“An active network attacker could use this vulnerability to intercept a CONNECT request and reply with a non-200 response containing malicious code, which would be executed within the context of the victim’s requested SSL-protected domain,” Mozilla’s advisory said.

Jetpack 0.2

While Mozilla developers patch their existing Firefox browser, work continues on the next generation of Firefox and its related technologies. One of those technologies is Jetpack, which is a new approach for add-ons, and which also received an update this week.

“Slidebars are a reinvention of the old sidebar feature of browsers,” Aza Raskin, Mozilla’s head of user experience, wrote in a blog post. “They allow quick access to a wide range of both temporary and permanent information at the side of your browser window.”

Jetpack 0.2 also adds persistent data store capabilities, enabling add-on developers to store data across browser restarts.

Even in its early state, the offering is proving popular: Raskin said Jetpack has had over 40,000 downloads to date.

Firefox 3.5

Work also continues on the final stages of Mozilla’s next-generation browser, Firefox 3.5, with its first official release candidate (RC1) being geared up for public release.

On Friday morning, Mozilla Firefox director Mike Beltzner tweeted: “would like to introduce you all to changeset 7a4bf953ed9e … or as it will likely soon be better known, Firefox 3.5 RC.”

Beltzner told InternetNews.com last week that Firefox 3.5 would be three times faster than the current Firefox 3 release.

The new Firefox 3.5 also includes HTML 5 support for video and offline data storage.

Mozilla is not alone in supporting HTML 5 in its new browser. Apple’s new Safari 4 Web browser as well as Opera 10 and Google Chrome all now offer varying levels of HTML 5 specification support.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web