Mozilla Fixes HTML5, Memory Corruption Bugs in Firefox 9

Mozilla fixes six vulnerabilities in Firefox 9, the latest version of its popular Web browser. Two of patches address issues with HTML5.

Less than a day after Mozilla released its latest version of the Firefox Web browser, the company released a software update.

Mozilla patched six Firefox vulnerabilities in the new Firefox 9, which it officially released on Dec. 20. Four of the issues were rated "critical," and the remaining two were rated "high" and "moderate." Mozilla also released Firefox 9.0.1 on Dec. 21 to fix a bug that was causing the Mac version of the popular browser to crash.

Two critical patches addressed HTML5 security in Firefox, the Thunderbird email client and SeaMonkey, an all-in-one suite that combines a Web browser with email, newsgroups, feed and chat clients. Mozilla fixed a bug that caused applications to crash when an OGG <video> element was scaled to "extreme sizes," according to the 2011-58 security advisory. The other issue was an out-of-bounds memory access flaw in how Mozilla implemented SVG in these applications, according to the 2011-55 advisory. This flaw was reported by HP Tipping Point's Zero Day Initiative.

"One problem that was pointed out by various people is the fact that the addition of the <video> and <audio> tags requires the inclusion of respective file format parsers in the browser. These parsers have been known in the past to be the source of various security issues," said Johannes Ullrich, of SANS Institute's Internet Storm Center.

Another critical patch addressed 23 memory bugs that developers found and fixed in the core browser engine. Mozilla said these bugs couldn't be exploited in Thunderbird and SeaMonkey because scripting is disabled, but posed a potential risk in the Web browser. They do not affect the browser engine being used in versions before Firefox 4.

"Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla wrote in the 2011-53 security advisory.

Firefox 9 still does not have the "silent update" mechanism that Mozilla promised in the summer of 2010. Silent updates are now expected in Firefox 12, due in April 2012.

At the moment, Google's Chrome Web browser is the only major Web browser that upgrades itself to the latest version without requiring any user interaction. Microsoft announced this month it will also implement automatic updates for Internet Explorer.

Mozilla also released Firefox 3.6.125 to fix the Java .jar vulnerability in the Mac OS X version of the browser that had been patched in September. Mozilla rolled out the new update because the original patch (2011-40) turned out to be incorrect. Firefox 3.6 was released in 2010 and is still being supported, even though Mozilla is encouraging users to move to newer versions that take advantage of the rapid-release schedule.

The vulnerability, which treats downloaded .jar files as fully featured "applications" instead of granting limited privileges as "applets," was also in Mozilla's Thunderbird email client and has been fixed in Thunderbird 3.1.17.

The company recently moved to a rapid development cycle, updating the Web browser every six weeks. Firefox 10 is scheduled for Jan. 31, 2012.

In this latest version, Mozilla optimized its SpiderMonkey JavaScript engine to generate native code more efficiently. Firefox 9 renders JavaScript between 16 percent and 36 percent faster than previous versions, Mozilla said, citing results from various JavaScript benchmark test suites.

Firefox 9's interface Mac OS X 10.7 has been tweaked to support Mac OS Lion's two-fingered swipe gesture for navigating backward and forward through already-viewed pages and sites. The Android version's interface has also been revamped.