Mozilla fixes six vulnerabilities in Firefox 9, the latest version of its popular Web browser. Two of patches address issues with HTML5.
Less than a day after Mozilla released
its latest version of the Firefox Web browser, the company released a software
Mozilla patched six Firefox vulnerabilities in the new
Firefox 9, which it officially released on Dec. 20. Four of the issues were
rated "critical," and the remaining two were rated "high"
and "moderate." Mozilla also released Firefox 9.0.1 on Dec. 21 to fix
a bug that was causing the Mac version of the popular browser to crash.
Two critical patches addressed HTML5
security in Firefox, the Thunderbird email client and SeaMonkey, an all-in-one
suite that combines a Web browser with email, newsgroups, feed and chat
clients. Mozilla fixed a bug that caused applications to crash when an OGG
<video> element was scaled to "extreme sizes," according to the
2011-58 security advisory. The other issue was an out-of-bounds memory access
flaw in how Mozilla implemented SVG in these applications, according to the
2011-55 advisory. This flaw was reported by HP Tipping Point's Zero Day
"One problem that was pointed out
by various people is the fact that the addition of the <video> and
<audio> tags requires the inclusion of respective file format parsers in
the browser. These parsers have been known in the past to be the source of
various security issues," said Johannes Ullrich, of SANS Institute's
Internet Storm Center.
Another critical patch addressed 23
memory bugs that developers found and fixed in the core browser engine. Mozilla
said these bugs couldn't be exploited in Thunderbird and SeaMonkey because
scripting is disabled, but posed a potential risk in the Web browser. They do
not affect the browser engine being used in versions before Firefox 4.
"Some of these bugs showed
evidence of memory corruption under certain circumstances, and we presume that
with enough effort at least some of these could be exploited to run arbitrary
code," Mozilla wrote in the 2011-53 security advisory.
Firefox 9 still does not have the
"silent update" mechanism that Mozilla promised in the summer of
2010. Silent updates are now expected in Firefox 12, due in April 2012.
At the moment, Google's Chrome Web
browser is the only major Web browser that upgrades itself to the latest
version without requiring any user interaction. Microsoft announced this month
it will also implement automatic updates for Internet Explorer.
Mozilla also released Firefox 3.6.125
to fix the Java .jar vulnerability in the Mac OS X version of the browser that
had been patched in September. Mozilla rolled out the new
update because the original patch (2011-40) turned out to be incorrect. Firefox
3.6 was released in 2010 and is still being supported, even though Mozilla is
encouraging users to move to newer versions that take advantage of the
The vulnerability, which treats
downloaded .jar files as fully featured "applications" instead
of granting limited privileges as "applets," was also in Mozilla's
Thunderbird email client and has been fixed in Thunderbird 3.1.17.
The company recently moved to a rapid
development cycle, updating the Web browser every six weeks. Firefox 10 is
scheduled for Jan. 31, 2012.
In this latest version, Mozilla
faster than previous versions, Mozilla said, citing results from various
interface Mac OS X 10.7 has been tweaked to support Mac OS Lion's two-fingered
swipe gesture for navigating backward and forward through already-viewed pages
and sites. The Android version's interface has also been revamped.