Firefox Patch on the Way for JavaScript Engine Flaw

The Mozilla Foundation plans to release a new version of its flagship Firefox browser as early as this weekend to patch a known JavaScript Engine flaw.

The flaw, which puts users at risk of information disclosure attacks, already has been fixed in nightly builds, and volunteers at the foundation said a final release on Firefox 1.0.3 could come as early as Friday evening.

“It feels like weve finally closed in on things, and were getting ready to wrap up this 1.0.3 release. Im [going to] be very cautious about calling anything a final candidate, but this one feels close,” Mozilla engineer Asa Dotzler said.

The new version, which is slated as a “maintenance release,” also will provide a fix for a bug in the add/remove programs feature.

Firefox 1.0.3 marks the third security-related fix from the foundation in the past six weeks.

In late February, Mozilla shipped a major security makeover to provide a temporary fix for the IDN (International Domain Name) issue, and to correct two serious flaws that could allow malicious attackers to spoof the source displayed in the “Download Dialog” box or to spoof the content of Web sites.

Just two weeks later, Firefox 1.0.2 was released to correct a serious vulnerability caused by the way GIF files are processed by the browser.

According to publicly posted minutes of the Mozilla.org staff meeting, the Mozilla Suite also will be updated to fix the JavaScript Engine bug.

The Thunderbird mail client will not be updated because the security bug is in JavaScript, which is not enabled by default.

The foundation also plans to relaunch the download center for its Spread Firefox initiative. The new marketing push is scheduled to include the use of ancillary tools such as feeds, Weblogs and plug-ins.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.