Mozilla closes security hole with Firefox 3.5.1

Mozilla updated Firefox to version 3.5.1 for Windows, Mac, and Linux on Thursday, fixing a security problem, improving stability, and speeding launch time on some Windows systems, according to the release notes.

"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," browser director Mike Beltzner said in a blog post Thursday.

Firefox 3.5 embodies Mozilla's hope to build a better foundation for Web applications, but about two weeks after its debut, a vulnerability in the browser's JavaScript engine came to light. Mozilla rated it "critical" because an attacker could create a Web site that would run malicious code on the computer.

The new version can be installed from Mozilla's download site or by selecting "Check for Updates" in the Help menu. Unfortunately, when I did so, the Firefox warned me that the newly updated Gears 0.5.29.0 plug-in from Google becomes incompatible again.

Update July 17 1 p.m. PDT: A patch to fix the Gears compatibility issue is under way.

[indiemixer]

Wooooow, Gears was just updated to be compatible with FF 3.5 and now no more compatibility. Lame.

[cvaldes1831]

Hey, Gears is beta software. Functionality is optional.

[quasi42vt]

Gears 0.5.29.0 actually does work if you use the Nightly Tester Tools extension to override compatibility. This wasn't the case where past versions of Gears were found to be incompatible with new versions of Firefox which is why I'm mentioning it here. You can also re-enable Gears functionality by setting "extensions.checkCompatibility" to "False" in "about:config" although that's never the best choice. Just remember to set it back to "True" once Google gets their Gears updated...again.

[dlauber]

Now that update was fast! Amazing.

Regarding the Gears add-on, did you try to override compatibility? FF 3.5 declared a number of my add-ons as "incompatible" again, but overriding compatibility worked just fine. Just download and install the Nightly Tester Tools add-on to make overriding compatibility easy.

[Vegaman_Dan]

The article doesn't state which security hole was patched, only that FF has had a security hole patch and that there was also one discovered this week. That woudl be really surprising to see such patched after extensive testing in such a short time. If it IS for the same security issue, then that screams just how serious it would be if they would sush out an update without testing it fully or through normal channels.

Rushed patching leads to compatibility trouble as has been demonstrated.

But any patch to help things out is a good thing

[JoeF2]

@vegaman:

LOL. Are you trying to find an excuse for the fact that Microsoft needs months to close such bugs?
You MS fanboys are sooo predictable.
If MS can't test fixes to their browser so quickly, that only hints at what a convoluted mess the IE source code must be.

[nopinktoday]

@JoeF2

Vegaman didn't even mention Microsoft. Stop trolling yourself.

ON TOPIC: I dunno about other people but the update took me a good 10 seconds. I was really pleased. ^_^

[monkeyfun14]

@JoeF2

Was Microsoft even mentioned in his post? If not ****

[JoeF2]

To the other trolls:
Are you really that naive or are you just playing naivete?
If you read Vegaman's posts on other threads you'd know exactly what he meant...
Now crawl back into your holes, you MS shills.

[JoeF2]

Oh, and monkey boy is of course also a known MS fanboy, just like vegaman.

[Vegaman_Dan]

@JoeF:

I didn't mention Microsoft, but if you want to bring it up, then sure. Microsoft does take time to release patches because they do take the time to test it thoroughly with applications, the OS, and third party products. To blindly release a patch upon the wild without thorough testing indicates either sloppy work or that the vulnerabiity was so extreme as to demand immediate patching and just suffer the consequences of compatibility issues as one was more impacting than the other.

I'm afraid the only one trolling here was you. You made a link to Microsoft that wasn't there in the first place. Feeling a bit defensive, perhaps?

Clue. Get one. They are cheaper by the dozen.

[FF2009]

One more reason to Love Firefox. Patching their Browser in 24 Hours.

Got to love it.

[Shankland]

Actually, the hole was publicly disclosed on July 13, so it took more than one day to close it: http://www.milw0rm.com/exploits/9137

Mozilla says on its blog it was discovered the week earlier too; they may have known about it before public disclosure. http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/

[danathompson]

Firefox is good. They have finally patched it up. This is the best browser ever. I really like the new features of tabbed browsing and private browsing. All of my favorite add-ons like Billeo, Cooliris, FoxTab etc are compatible with Firefox 3.5 https://addons.mozilla.org/en-US/firefox/addon/12715

[Techedots]

Fire fox is already many times better than Internet Explorer, and now by fixing the security hole FF has gone miles away from IE. The best thing i love in FF is "Private Browsing"
[CNET editors' note: Prohibited content deleted.]

[sfdxsm]

Microsoft .net framework 1.0 also gets disabled with this update.

[psapozhnikov]

Google gears 0.5.29 wasn't fully working in ff 3.5. It was working in gmail for the offline storage but not in google latitude on the iGoogle home page. Now I updated to ff 3.5.1 and google gears is no more!

[Shankland]

FYI a patch to restore Gears compatibility is in the works:

http://code.google.com/p/gears/source/browse/trunk/gears/base/firefox/install.rdf.m4?spec=svn3386&r=3385

[psapozhnikov]

Looks like gears 0.5.30 has been released for ff 3.5.1. Still no latitude compatibility.

-p

[CaptThom]

Echo the speed and simplicity of downloading and installing the patch. Took 30 seconds tops. Another reason why Firefox is my go-to browser.

[Freedomstarfox]

Awesome. That was a really fast patch. :)

[jrolin1]

If you just do the check for updates and you are not running 3.5 then it will download (at least as of this moment) 3.5 and you will need to check for updates again to get it updated to 3.51. It is possible that someone could be more vulnerable by installing 3.5 without the additional 3.51 update. I am sure that will be fixed shortly.

[Hokulea]

I have been using Mozilla browsers since they first spun off from Netscape. While Fx 3.5x is my current browser of choice, I consider it to be less secure than running IE8 in protected mode with Vista.

Just because a patch is released quickly doesn't mean that it's a good one. It takes time and a lot of effort to make sure the fix actually does what it's intended to do without causing other problems. Solutions that create more problems than they solve are poor solutions.

I believe Microsoft takes the time to thoroughly validate their patches and updates before release. At the same time, I question their philosophy regarding classification of vulnerabilities. MS tends to lump exploits that require some user interaction at a lower priority. Considering how ignorant many people are about secure computing, I think it would be best to classify vulnerabilities by what they do and not how they are acquired.

I continue to use Firefox solely because of Adblock Plus. If IE8 had ad blocking then that would be my browser of choice.

[ColinABQ]

RE Speeding launch times on some Windows systems: my system isn't one of them. In fact, 3.5.1 is several seconds slower to launch than 3.5 was, and it was pretty dismal. Reading through the linked thread on that is depressing. Quite a mess.

I've been using Firefox for several years, and recommending it to friends and family. No more. The MozFolk screwed the pooch, and their users, with the 3.5 release. They pushed it out for all the wrong reasons, most notably the PR that they knew their DRAFT HTML 5 support would generate. I think they lost sight of some core functionality and usability, in their rush for glamor and their lust for downloads and installs -- stats to tout. 3.5 was NOT ready for release, and neither is 3.5.1. Yes, perhaps we should applaud their rapid response on the security issue, but it should be golf clapping. I have a local history of being pretty quick to bash Microsoft but at this point, I'm with Hokulea. If IE 8 had AdBlock Plus functionality, and something like NoScript, I'd be done with Firefox.

[ColinABQ]

I came back to correct myself. (I hate when this happens).

Without any further updates having been applied, that I am aware of, my FF 3.5.1 start-up times have improved. When I wrote my original post, after clearing cache and rebooting, my start-up time was over 20 seconds. (I tried it at least three times, because I just couldn't believe it.) On Saturday, the day after my post, I noted that it had dropped to 12 seconds or thereabouts, fairly reliably. Today, under the same conditions, it is finally down to less than 10 seconds, coming in at about 8 seconds. Whether that is acceptable or not is an open question, and each user must make that call. I don't like it, but I'll live with it for now.

I have no idea what changed, though I wish I knew because that might help isolate the actual problem. Regardless, I suppose I should apologize for my harsh tone on the 17th. I still feel that some of Mozilla's motivations were, and are, questionable, but the start-up time issue, specifically, is diminishing.

Will I revert to recommending FF to friends and family? No, not until start-up times are reliably less than 5 seconds, comparable to IE 8.

[jackmsw]

I'm not a techie. When I installed the upgrade, I was notified that Google Desktop is no longer compatible. Something like this likely to get attention?

[resu eman]

The latest version of Firefox (3.5.*) keeps crashing on my laptop.
I didn't have any issues with the previous versions, but now it crashes just by launching it.
I'm hoping CNet download gives me access to the previous version because if not, I'm giving up on Firefox.