Firefox 3.0.9 targets 12 security vulnerabilities

Updated at 11:32 a.m. PST with a summary of the bug fixes.

Mozilla released an update to Firefox 3 on Tuesday that patches 12 security vulnerabilities, four of which it rated as critical.

Firefox 3.0.9, the Web browser's third update this year, fixes two critical vulnerabilities in the Firefox browser engine and two in its JavaScript engine, according to a security advisory posted Tuesday:

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some of these could be exploited to run arbitrary code.

One critical security bug fixed crashes caused by memory corruption, which the developers felt could have been used at some point to run arbitrary code.

Two other high-profile bugs involved a misinterpretation of a particular Adobe Flash code that could have been exploited, and a URI mismatch that also could have led to arbitrary JavaScript executions. However, there's no evidence in the bugs that these security holes had been exploited.

AOL.com and AIM.com Web mail users should once again be able to view attached images inline and without hiccups. A bug created in Firefox 3.0.7 caused images to break where they had loaded properly in Firefox 3.0.6. Also, users who noticed previously stored cookies mysteriously disappearing should find that bug repaired.

The release comes as Mozilla prepares to release the fourth beta test of Firefox 3.5--the next version of the open-source browser. Mozilla had originally planned to release its new "Shiretoko" version of Firefox in early 2009. But after releasing Firefox 3.1 beta 3 last month, the organization behind the browser said a fourth beta is planned--and with the new version number, 3.5.

Expected changes in Firefox 3.5 include faster execution of Web-based JavaScript programs, a private-browsing mode, native support for the JSON (JavaScript Object Notation) technology for exchanging data between servers and browsers, and built-in audio and video abilities for bypassing Flash or other multimedia technologies.

In March, security-testing company Secunia reported that Mozilla had more vulnerabilities in its Web browser last year than Internet Explorer, Safari, and Opera combined, but that Mozilla dealt with those flaws more quickly than Microsoft did.

Meanwhile, Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 22.05 percent of the global browser market share, compared with IE's 66.82 percent, a drop of more than seven percentage points in a year, according to figures from Web metrics company Net Applications.

Updates for Windows, Mac OS X, and Linux are available at the Mozilla site. (Downloads in all languages are available here.) Firefox 3 users will receive an update notification within 48 hours, or they can download the update manually by selecting "Check for Updates" from the Help menu.

CNET's Seth Rosenblatt contributed to this report.

[nitespark]

Here is an interesting story that CNET has yet to post, i really don't know why it seems kind of important.<br /><br />http://blog.kiplinger.com/techtracker/2009/04/piercing-apples-security-myth.html<br /><br />maybe CNET censors what news they want to post.

[Angmarr]

ya i've noticed that too sometimes!

[clbowens]

What does that story have to do with THIS story? Maybe I'm missing something.

[monkeyfun14]

Of course

[goodspeed8701]

Now firefox dont have that much market share to be so insecured. If they do i wonder what will happen. Well IE8 is good for me u guys always bash it but its better from my perspective use ur ff if it works for u

[pentest]

Market share and security have nothing to do with each other.<br /><br />The same vulnerabilities would still be there with 1 user or 5 billion.

[link48010]

Want to know the difference between the two browsers? IE 8 was on some tests found to have fewer security issues than Firefox, however Firefox security problems were usually patched within the day, where as IE could take as long as 9 days. Take your pick. Firefox is still my browser, Firefox+AdBlock Plus+Noscript. Spyware? What Spyware? I *laugh* in the face of malware coders, HAHAHAHAHA!

[goodspeed8701]

@link so with all those security addon for firefox they still cant be more secured than IE8. dont worry prevention is better than cure. IE8 protects me more than your no script and no ads addons. I still go for IE and opera. I dont see why a company would do a browser and expect other third party addons to protect it.

[chapibol]

@pentest really? and tell me who's is gonna take the time to exploit that vulnerabilty to infect 1 person when it can infect the other 5 biillion? you Microsoft haters don't think or have any common sense anymore do u?

[rmva]

What a piece of crap!

[unknown unknown]

How insightful. *sarcasm

[seven7dust]

opera FTW

[Mr. Dee]

Firefox - the new bio-hazard.

[pentest]

LOL<br /><br />Too bad IE gets raped every day.

[Dalkorian]

Did anyone think that maybe Firefox is more secure *BECAUSE* they find, acknowledge and fix the vulnerabilities - unlike IE that denies, blames the user, waits until the vulnerability is exploited for a year, then patches while blaming the user again for viewing more porn sites?<br /><br />M$ apologists are simply amazing - like zombies, they have learned to go through life with their brains turned off.

[Angmarr]

shun the non believers, read the "Book of Mozilla" and be enlightened Padawan!

[KTLA_knew]

"In March, security testing company Secunia reported that Mozilla had more vulnerabilities in its Web browser last year than Internet Explorer, Safari, and Opera combined, but that Mozilla dealt with those flaws more quickly than Microsoft did." <br /> <br />Wow, you BETTER fix them faster when you've got code that much worse than your competition combined. <br /> <br />Actually, the general flow of vulnerabilities isn't going to stop for any browser (IE, FF, or otherwise), so has FF *FINALLY* implemented running in a protected process like their competition has been doing for years? It's unforgivable that they didn't do that sooner, but did FF3.x finally fix this flaw?

[theosq]

I would care about protected processes if there was any evidence they stopped real browser exploits from taking place. Unfortunately, there is none -- Internet Explorer is still the fast track to get your machine taken over by Russian hackers, while Firefox continues to shut hackers down.

[KTLA_knew]

Ah. I can now see how the decision to not to run in a protected process was made by the FF folks. <br /> <br />"We don't have this security feature, so it's not an important one. Therefore we don't need to implement it." <br /> <br />Gotcha. I presume this means FF will never run in a protected process. Good on them. Sheesh...

[unknown unknown]

Microsoft's own documentation states that protected processes are there to enhance DRM, which is a different threat model. A protected process stops access from unrelated process to prevent common DRM circumvention techniques like thread injection, access to the process memory space, and attaching a debugger. It does not protect the process or the system from a flaw in that protect process nor does protect the system from flaws in plugins like Flash if the browser is run as such.

[KTLA_knew]

"It does not protect the process or the system from a flaw in that protect process..." <br /> <br />Wow, the legnths and lies folks will go to just to prove how true to their religion they are. It very specifically protects the system from a flaw in the protected process (and browsers will always have flaws), and add-ins like Adobe Flash have been updated to work with the IE protected mode broker process to keep that protection in place. <br /> <br />http://msdn.microsoft.com/en-us/library/bb250462.aspx

[unknown unknown]

@ KTLA_knew you need to use correct terminology then so people know what you're talking about. Running in protected mode is different than protected processes. Protected processes are part of the WIndow Media Foundation API which provides access to protected media path way in Vista. Protected mode appears to be part of the same API as UAC. <br /><br />http://www.microsoft.com/whdc/system/vista/process_vista.mspx

[Dalkorian]

by unknown unknown April 22, 2009 3:25 PM PDT<br />@ KTLA_knew you need to use correct terminology then so people know what you're talking about. <br /><br />----------------------------------------------------------------------------<br /><br />You've already made the bad assumption that he knows what he's talking about to begin with. ;)

[dillion88]

What are u talking about i dont get the damn thing. please tell it better!

[timberman07]

OK, I give up. I'm thick!!! How the ding dong can I download Mozilla/Firefox when they keep putting up a little box telling me to close down Firefox? Anybody out there able to explain to me in plain English what I'm supposed to do pretty please. So I'm grey, bald and 65, but come on now.............

[theosq]

Close all your windows, including anything that might be Firefox related, like the download manager, and then start the installation.<br /><br />If that doesn't work, and you're using Windows, press Ctrl-Alt-Del and look in the Task Manager for firefox.exe. Click on it, then "End Process," and then try again.<br /><br />Otherwise, try these steps: http://forums.mozillazine.org/viewtopic.php?f=38&#38;t=1130925

[jscott418]

Well Firefox has become the big let down in browsers for me. I had high hopes for it at Firefox 2. But ever since FF3 I really have not liked it and it has become more and more slow with every passing update. <br />So much so IE 8 is looking pretty good. I still won't do anything Google, Chrome appears nice and its pretty secure except from maybe Google itself. Which is what concerns me about Chrome. Opera just does not have enough site support at 1% user base. I may have to look at Safari 4 in final RC. It was looking pretty good in beta on Vista.

[alfmeister]

Iron. Take away all of the Google security issues, offer ad removal and you have Iron from SRWare. It's simply the fastest and best browser there is and it's free. I use it with my netbook and my desktop computers. You can even load it onto a flash drive as there is a portable version available that's just 12mb.

[guest86]

Oh wow Firefox 3 get problems again, again like old versions? I think Firefox 4.0 will be out in near future. <br /><br />I stick with SeaMonkey equip with NoScript, Flashblock, and AdBlock Plus add on and really faster than Firefox. SeaMonkey 2.0 will release soon. I can't wait to see new version. I hope SeaMonkey will win war against IE, Firefox, Opera, Netscape. Flock, and all other kind of internet programs. SeaMonnkey use less memory ram, reduce CPU processor pressure and stable version.

[goodspeed8701]

Only for no one has the time to make research and tell you how insecured you are with your seamonkey.

[PrivettP]

I have a Mac and use both XP and OSX. I know there's a lot of people who feel strongly regarding their browser. At one point Safari was faster than IE6. I was a good browser made to computer with the best on limited levels, but because it has not innovated, other browsers have passed and blown it away. I switched to Mozilla when they were the first to have tabbed browsing and spell check. I left because Microsoft took me for granted. I don't hate Microsoft. I feel they have improved their browser. But I could see Mozilla was really trying their best to improve their browser with limited resources they had. I didn't get that from MS. MS has done a lot to secure their browser and Mozilla, now that's popular has to safeguard against the same issues. I'm amazed that Mozilla cannot zoom like IE7. And for whatever reason forward and reverse button work sometimes with Mozilla in OSX.<br /><br />Safari has a lousy spell check, bookmarking ect for so long, I'm ready to remove it unless it upgrades

[exactlyy]

seems like so many people have stopped using their minds.. <br />since when updating a software to make it more secure is considerd to be bad ?<br />so many of you IE fanboys been using IE8 for over a month ..and its full of crap ,when do u think microsoft is going to patch it ?? and if they patch it once or twice in 2009 , does that mean its more secure the firefox becuz it was patched less??

[dillion88]

This **** is gay