Mozilla repairs Firefox security flaws
September 8, 2010
Late yesterday, Mozilla says it has released two new versions of its Internet browser, Firefox 3.6.9 and Firefox 3.5.12, to successfully repair up to ten critical security vulnerabilities in each browser and to help website operators block a security bug called clickjacking.
Firefox 3.6 also gets a new general approach to reduce on browsing risks: support for what's called the X-Frame-Options HTTP response header. Web site developers can use this technology to block browsers from showing their Web sites inside a frame--essentially a smaller window within the browser window.
Placing a legitimate site inside a frame on a malicious site is one approach for attacks called clickjacking, in which the malicious site can capture keystrokes such as usernames and passwords.
For the new versions of Firefox 3.5 and 3.6, nine of the ten critical vulnerabilities are exactly the same, but one problem on 3.5 is minor on 3.6, and one 3.6 problem didn't affect 3.5 either.
Additionally, several noncritical security vulnerabilities were fixed as well.
Overall, critical security vulnerabilities can allow a remote attacker to run malicious code on a PC or workstation. With today's complex Web browsers becoming more and more powerful, browser makers must constantly watch for new attack possibilities on their software.
Mozilla is also racing against the clock to release Firefox 4.0 before the end of the year. It released a 5th Firefox 4.0 beta yesterday, adding support for some hardware acceleration on Windows, among other neat features.
It also seems probable that Mozilla won't meet its Sep. 10 deadline for freezing the code base for the sixth beta--the last cutoff point for getting new features into Firefox 4. A week later, on Sep. 17, it will look more likely some say.
We don't want to put your hopes down, but not all the Firefox 4.0 features are coming to fruition, at least not now anyway. According to meeting notes published yesterday, another feature slipped off the roadmap: a Firefox developer tool called the 'Inspector' that would have made it easier to find details about security elements on specific Web pages of any given site.
Also updated yesterday were the stable and beta versions of Google's new Chrome 6 browser with the release of version 6.0.472.55. Wow.
This most recent security update also patches issues with autofill, which can enter data such as addresses and names into Web forms, the overwriting of the default search engine setting and also some issues with Chrome's language translation feature.
You can link to the Internet Security web site as much as you like.