Typically when Mozilla updates its Firefox browser, it includes a number of
security updates. For Firefox 2.0.0.3 and 1.5.11, that number is one. The update also marks the first time Firefox has benefited from an expanded community effort.
The one flaw is of the low impact variety and addresses the manner in which Firefox handles a certain FTPcommand. According to Mozilla’s security advisory, a malicious Web page could potentially
exploit the PASV (passive) command in FTP to potentially perform a port scan
of an internal network.
By itself, the Mozilla advisory notes, the port scan causes no harm, but information about an internal network may be useful to an attacker should there be other vulnerabilities present on the network. Port scans are often seen as the first step for hackers in enumerating targets.
Mozilla has now plugged the potential hole in the new 2.0.0.3 release as
well as fix for the 1.5.x series with Firefox 1.5.11.
The one security fix is a dramatic drop from the Firefox 2.0.0.2 release, which patched at least seven flaws, including a critical password vulnerability bug last November.
A new aspect of the 2.0.0.3 release is that Mozilla has taken advantage of an expanded testing effort by engaging users with a broader community beta program for Firefox
point releases.
Mozilla had been issuing releases candidates in the lead up to the official release of Firefox 2. Anyone who downloaded and installed a pre-release version of Firefox 2 became part of the beta program. Those same users are now going to be part of beta program for individual Firefox point releases.
“We currently have hundreds of thousands of members worldwide and hope to
expand the program in the coming months,” Christopher Beard, vice president of marketing and products told internetnews.com. “Expanding our beta program to our minor releases will improve the overall effectiveness and quality of our
security and stability release process.”