The Inquirer-Home

Firefox and Thunderbird 7 have critical security patches

No fix for BEAST SSL/TLS attack yet
Wed Sep 28 2011, 14:23

OPEN SOURCE SOFTWARE HOUSE Mozilla has released updated versions of its Firefox and Thunderbird products that address critical vulnerabilities and have other security improvements.

The release of Firefox 7 is important because the new version features better memory management and is the first step in Mozilla's long term plan to make the browser more resource friendly.

Nevertheless, users who upgrade to it will also benefit from improved security as this release fixes six critical and two moderate severity security vulnerabilities.

Four of the critical patches are shared with Thunderbird 7 and address a use-after-free condition with OGG headers, an exploitable crash in the YARR regular expression library, a code installation quirk involving the Enter key and multiple memory hazards.

A moderate severity patch that provides defence against multiple Location headers caused by CRLF injection attacks is also common to both products.

In addition to these patches Firefox 7 also contains fixes for two critical and one moderate severity vulnerabilities, with one of them resulting in a potentially exploitable WebGL crash.

It's worth pointing out that Microsoft previously motivated its decision to not include support for WebGL in Internet Explorer by saying that the 3D graphics library opens a large attack surface.

So far several serious vulnerabilities have been identified and patched in WebGL, which partially supports Microsoft's assessment, but the library's supporters claim this is no different than with other technologies.

Firefox 7 also updates Websocket, a protocol disabled in the past because of security issues, to version 8, which is no longer vulnerable to known attacks.

Unfortunately, Mozilla has not yet developed a fix for a recently disclosed attack against SSL/TLS, despite having worked on the problem since June. Developers are still trying to find a resolution that will break as few websites as possible, but at this point it's not even certain that a fix will be included in Firefox 8. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Blackberry completes restructuring process

Do you think Blackberry can bounce back to growth?