Mozilla plugs Firefox holes hackers could use to bug you

Mozilla Corp. today patched eight security vulnerabilities in Firefox, half of them critical memory corruption flaws in the browser’s layout and JavaScript engines.

Firefox 3.0.7, the second security update this year to the open-source browser, fixes about the same number of bugs that Mozilla patched a month ago.

Of the eight vulnerabilities, six were rated “critical,” one “high” and one “low” in Mozilla’s four-step ranking system. The six critical bugs are in Firefox’s garbage collection routine, in the PNG libraries used by the browser, and in the layout and JavaScript engines.

Mozilla was uncertain whether the four bugs patched in the layout and JavaScript engines could be exploited, but assumed as much.

“Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” the accompanying advisory read.

Other patches plug holes that could be used by hackers to steal private information and spoof URLs to trick users into thinking they’re at a legitimate site.

Mozilla also addressed several non-security issues in Firefox 3.0.7, including unspecified stability problems, a bug that caused some browser cookies to mysteriously vanish, and a Mac-only flaw associated with the Flashblock add-on.

Mozilla Messaging Inc.’s Thunderbird e-mail client, which uses the Firefox rendering engine for JavaScript and other functionality, was not patched today, although six of the eight vulnerabilities also affect it.

Until Thunderbird is updated with those fixes — mid-month is the latest estimate for Thunderbird 2.0.0.21 — users can protect themselves by disabling JavaScript, said Mozilla. By default, the e-mail application has JavaScript switched off.

The new version of Firefox can be downloaded for Windows, Mac OS X and Linux from the Mozilla site. Current users can also call up their browser’s built-in updater, or wait for the automatic update notification, which typically pops up within 48 hours.

In other Firefox-related news, Mozilla today said that it would change the version number of the next major update from Firefox 3.1 — the moniker used since May, when the company first announced the upgrade — to Firefox 3.5.

The change, which had been suggested by several developers, will “indicate [the] increased scope” of the update, according to meeting notes posted online.

Last week, one developer called on Mozilla to bump up the version number. “That way we would more clearly communicate to users that this isn’t just a minor update but a major step forward,” said Simon Paquet.

Mozilla also modified the schedule for Firefox 3.1 Beta 3 — it is too late in the process to change the beta to 3.5 — today, pushing back the ship date for the oft-delayed preview from an earlier estimate of March 10 to March 12.

Scrambling for market share

Firefox holds a 22 per cent market share, according to browser data from Web metrics company Net Applications Inc.

Although Microsoft Corp.’s Internet Explorer browser continued to bleed market share last month, Apple Inc.’s Safari was an even bigger loser during February, according to an Internet metrics company.

Microsoft’s browser lost 0.04 of a percentage point of its market share, to end February with 67.5 per cent, another record low for IE since Net Applications Inc. began tracking browser data in 2005.

Last month’s decline, however, was the smallest since July 2008, when IE actually gained share, and significantly less than its 12-month average of 0.7 per cent. Even so, in the past 12 months, IE has slipped 7.4 percentage points.

Within Microsoft’s total, the share of users running Internet Explorer 8 increased slightly last month from January, climbing to 1.17 per cent from 0.92 per cent.

The release candidate of IE8, dubbed RC1, has been available for about five weeks, making February the first full month of its public availability.

But for all of IE’s problems, Safari slid more last month.

Apple’s browser, which had been on a three-month winning streak during which it gained 1.5 percentage points, slipped by 0.3 of a percentage point compared to the month before, said Vince Vizzaccaro, Net Applications’ executive vice-president of marketing.

“That was surprising. We’ve been seeing Safari gain share lately.”But he offered caveats about drawing conclusions from Net Applications’ data.

“Safari could have grown significantly, but it grew less significantly than, say, IE,” said Vizzaccaro. Net Applications measures browser usage by tracking the machines that visit the 40,000 or so sites it monitors for clients.

He also offered a possible explanation for Safari’s drop, the browser’s largest one-month fall since June 2007. “It might be due to the month,” he said.

“In December [2008] and January [2009], there was a lot more browsing from home because of holidays and vacation time those months. So one way to look at Safari’s numbers is that [overall usage] may not have gone down, but they look down compared to January and December, when more people were at home.”

Previously, Vizzaccaro has maintained that Net Applications’ data shows that use of non-Microsoft browsers climbs after work hours, on weekends and during holidays, as users surf from home computers rather than from work machines, which are far more likely to run Microsoft’s IE.

That was in evidence, he said earlier this year, during December, when IE’s share plunged and rivals’ shares jumped.

Even Apple’s release of the Safari 4 beta last week couldn’t stem the browser’s overall slide. For the month, Safari 4 averaged a meager 0.08 per cent, although numbers nearer the end of February were more impressive. “The important thing about Safari 4 is that its trend line looks like it will take off fast,” Vizzaccaro said.

With both IE and Safari down, Mozilla Corp.’s Firefox had no trouble winning the share race last month. The open-source browser gained ground for the fifth month in a row to finish at a record share of 21.7 per cent.

According to Net Applications’ data, Firefox users also continued to leave Version 2.0 for the newer Version 3.0: 88 per cent of those using Firefox are running the latter, an increase from the 85 per cent who were running the newest edition last month.

Mozilla dropped support for Firefox 2.0 last December and made its third and final upgrade offer to users running that edition in early January. Since then, Google Inc. has shut off the antiphishing service that provided updates to Firefox 2.0.

Other browsers also posted increases last month: Google’s Chrome boosted its share to 1.15 per cent, while Opera Software ASA’s flagship browser climbed slightly to 0.71 per cent.

Net Applications’ browser share data is available online.

Share on LinkedIn Share with Google+