Thursday marked yet another chapter in the short, rocky history of Mozilla’s Firefox 3.5 browser, as the foundation released a security update a little more than two weeks after unveiling it.
Firefox 3.5.1 fixes a JavaScript vulnerability in version 3.5 that exposed users to so-called drive-by attacks.
However, the fix may rob Firefox 3.5 of one of its main boasting points — speed — and Firefox 3.5.1 may have a few flaws of its own.
Announcing Firefox 3.5.1
Firefox 3.5.1 is available for download “as part of the Mozilla Corporation’s ongoing security and stability process,” Director of Firefox Development Mike Beltzner wrote Thursday on Mozilla’s developer site blog.
Version 3.5.1 is available for Windows, Mac and Linux platforms as a free download.
All Firefox 3.5 users upgrade to 3.5.1, Beltzner recommended, and he said users of version 3.5 will receive an automated update notification.
The update can be applied manually by selecting “Check for Updates” from the browser’s Help menu.
The Firefox 3.5 Bug
Firefox 3.5 went through several iterations and beta releases before it was finally unveiled June 30, but that doesn’t seem to have stopped all vulnerabilities from slipping through.
The security flaw, found in Firefox’s Just-In-Time (JIT) JavaScript compiler, was discovered in the first week of July. The hacker group milw0rm published the flaw on the Web this week.
It leaves users vulnerable to drive-by attacks, causing malicious code to download to their computers automatically when they land on a tainted Web page.
Internet security services company Secunia rated the vulnerability as “highly critical,” the fourth-ighest ranking.
Quick ‘n’ Dirty Solutions
On Tuesday, Mozilla suggested a workaround in its security blog that consists of disabling the JIT in the JavaScript engine.
Doing so will slow down the browser and is only a temporary security measure, Mozilla said.
Another option is to run Firefox in Safe mode.
Users who disable JIT must turn it back on when they install Firefox 3.5.1, the Sans Institute warned.
Mozilla could not respond to requests for comment by press time.
Doing Less With More
As Firefox — and nearly all other browsers, for that matter — is facing a growing security threat.
“Browsers are increasingly large and complex pieces of software,” Gartner analyst Ray Valdes told TechNewsWorld. “The vulnerability arises from complex code that is new and not fully exercised.”
A modern browser has about 1.5 million lines of code, Valdes said, adding that the occasional vulnerability will crop up, especially in a complex subsystem like a JIT compiler.
Slow Down, You Move Too Fast
While faster browsers may delight users, they also are more vulnerable to malware.
“Attackers are happy with having a faster JavaScript engine running on victims’ machines,” Stephan Chenette, manager of security at Web, data and messaging security vendor Websense, told TechNewsWorld. “A faster JavaScript engine will obfuscate code faster.”
Obfuscated code has been scrambled to make it more difficult to detect, and obfuscation is a favorite tactic of malware authors.
Firefox 3.5.1 Issues
Mozilla put out a list of known issues with Firefox 3.5.1 in the release notes for the update.
Users on all platforms will not be able to return to a previous beta version of Firefox 3.5 without creating a new profile. They will also find that some SSL sites will not load all images and styles after they clear their browser’s recent history unless they press “Reload.” Also, some Web sites with Flash can cause problems with the Cookies dialog.
Windows users will find that pressing “Enter” in the Location Bar will not do anything if they are running AVG SafeSearch v8.0 or older. Mozilla recommends they upgrade to a newer version of the AVG SafeSearch antivirus application.
If Mac users repeatedly change the paper size and ask for a print preview, Firefox 3.5.1 may crash.
Linux and Unix users may find that zooming out on some sites results in grey or black lines appearing on their screen.
These problems will be fixed in future updates, Mozilla said.
Loading ...
