Mozilla updates Firefox with three security patches

On Thursday, Mozilla pushed out a new security update for its new Firefox browser. Version 3.0.1 for Windows and Mac addresses vulnerabilities in malformed GIF files on Mac OS X, command-line URLs that could launch multiple tabs when Firefox is not running, and a potential remote code execution by overflowing CSS reference counter.

Meanwhile, Mozilla updated the earlier version of Firefox with 2.0.16 on Tuesday. The update addresses two of the Firefox 3 critical issues--command-line URLs and overflowing CSS reference counter.

Version-specific updates have been pushed out automatically to existing Firefox users.

Mozilla will continue to update Firefox 2 until mid-December.

[Lerianis]

Well, at least Mozilla is very fast about getting the updates out there when they need to get them out there! Personally, I knew that Mozilla was not going to be able to make a total vulnerability free browser..... but they have done a pretty good job of improving Firefox, even over the 2 version.

[Dalkorian]

I doubt if there is such a thing as a "total vulnerability free" anything in our world. Pothing is nerfect. The biggest benefit of FF, besides functionality, is the fact that it's *NOT* ingrained into the OS in an unnatural (unholy?) way. FF is just another application to the OS, but IE has tentacles deep into the OS layer (winblows exploder uses parts of IE).

[The_Decider]

nbh

[amarkj]

Funny how people are so forgiving with Firefox...

[waltermera182]

cest la vie

[birdpiercefan3334]

Well, I updated it, and Tab Mix Plus isn't compatible with the new Mozilla Firefox (3.0.1). I had to go to the main web page and download the development Add-On. Other than that, it worked fine for me. That was a quick update, Mozilla, good job!

[ElDudde]

Wow, can you believe the amazingly superior FireFox could have a need to patch their superior web browser. Geez, that's like Apple being unable to activate their incredibly amazing IPhone. They must have some Microsoft engineers working for them.

[camanda]

Microsoft engineers working at Mozilla? What's next, George Bush teaching weapons recognition classes to SWAT teams?

[emtgregg]

Geez, Apple not being able to activate what IPhones? You can't even get them now until Mid August. That's a huge issue with millions of people who want to get it.

Let's see a service update for something the customer already has and can use without the update verses not even being able to get a phone and having to take home a non-working phone just to get it activated, if you can get it activated.

I'll take my free browser that I am using right now any day over a phone that I can't even put my hands on if I wanted to buy one.

[The_Decider]

Take every patch from all FF versions and it is still a fraction of the security fixes for IE7 alone.

At least FF isn't getting exploited everyday like IE.

[CNET editors' note: personal attack deleted].

Leria, You "knew" the FF3 wouldn't be perfect? How brilliant of you!

[make_or_break]

Then again if FF controlled 80%+ of the market like IE does now, would you then really think it would be so attack-free? The malware clans go where the best action is; if IE was only a bit player, then it gets bit action. No big paydays there.

[The_Decider]

"Funny how people are so forgiving with Firefox..."

So forgiving?

Of what? That FF fixed the issue fast enough that it wasn't exploited?

If MS could do that we might be more forgiving of its thousands of flaws and exploits running around for it.

[bscr72]

Here we go again: Mozilla's patches are seen as saviors, while MS patches are seen as' too late' and aatching a crappy product. Mr. Vamosi, please attend journalism school and take a class in fair, unbiased reporting....it lacks in you articles. We know your biased, but just like the world is not waiting for my opinion, its not waiting for yours either.

FireFox is just as buggy and can't get it right either..they still need to release security ptaches..so are you really safer with FireFox? Maybe a little, but the facts speak for themselves.

And yes, I will be slammed for this....but facts are facts..even if they are easily overlooked.

[MSSlayer]

Microsoft patches are usually too late. They more often than not come after their are exploits for it in the wild.

If you knew the difference between a flaw, an exloitable flaw and an exploit you wouldn't be asking such inane questions.

[firefoxluva95]

Buggy? Define buggy as I haven't experienced any bugs. Security flaws are not really considered bugs, they are flaws. They are discovered by hackers who have the only goal of breaking into/compromising your system.

Security patches? Well obviously there needs to be security patches. You don't think hackers are gonna just sit there and keep trying to exploit the same security flaws No, what hackers do is attempt to find new ways to exploit things. They aren't stupid, they adapt with the patches. Nobody is safe when they are connected to other computers (the internet). There isn't 100% safe, there is safer. Think about it, Microsoft keeps with their patch Tuesday schedule. What if there's a security problem exploited on Wednesday the week before? Now think about Mozilla, oh there's a problem, let's fix it and push this build out ASAP. Also Firefox has been shown to be the most updated browser simply because of the easy way of updating using the partial update method. I still don't like downloading a full exe each time to update Opera and I certainly don't want to wait for Windows Update to update my IE. Obviously the must frequently updated and patched browser will be the safer one. The browser evolves with the dangerous environment on the internet much more quickly.

[MSSlayer]

"They are discovered by hackers who have the only goal of breaking into/compromising your system."

That is wrong. They are usually discovered by security researchers who want to stop the bad guys.

[bscr72]

I'm not a MS lover, but only look at the facts. Both browsers have a far from clean track record. Mozilla did not patch issues that were discovered in 1.5 far into 2.0....You call that fast? MS has also been known to patch outside patch Tuesday, just for the record. Granted, Mozilla is the faster browser, but other than that it about as prone to attacks as other IE. What I think is hypocritical is the amount of people who give Mozilla kudos for something that should have been resolved in the first place. MS gets flak for doing the same thing.

My point is: look at it for what it is, not make it an issue because you love FireFox so much!

[MSSlayer]

You also have no context to back up your claims. A bug fixed in 1.5 when 2.0 is released is slow?

Perhaps, perhaps not. Depends when it was discovered.

That you can't see a difference should clue you in to the fact that you aren't educated enough to have a valid opinion.

[MSSlayer]

Just because FF has flaws doesn't mean that it is just like IE.

IE is part of a crappy OS, it doesn't just run on top of it. It is part of it. That means any exploit is automatically more severe because of it.

IE has thousands and thousands of security exploits floating around.

MS takes months to push out a fix, and when it is complete they wait for "patch day" to come around, even if it is three weeks away and some worm is ravaging its customers machine.

Every non-trivial piece of software will have bugs(yes, a flaw is usually a bug) in it. That is a given. It doesn't excuse anyone for having massive amounts of flaws and exploits floating around for its piece of crap program.

If Firefox had new exploits written for it every day and Mozilla ignored resports for months and than taking months to push out a fix they would get taken to task as well.

But they don't. They developed their program with security in mind which brings down the number of security issues considerably, but it doesn't bring it down to zero, and never will. They don't fight bug reports, they immediately investigate, fix and patch. That what being a responsible, professional developer is about.

Secure programming, finding bugs and fixing them are not trivial exercises. They require deep understanding of not only the language you are using but the underlying OS memory management and what is going on in hardware. Too many "programmers" read C++ for dummies and write a hello world program and think they are qualified to be a developer. There is a reason most reputable development houses require at least a CS degree since most reputable CS programs give its students the background knowlege required to be a programmer, even with languages and frameworks that handle memory for the programmer. There are still many security and performance related issues that someone with the proper background can catch. Although sadly, very few CS programs require or even offer security specific courses, but this is slowly changing.

[bscr72]

We are comparing apples and pears. The attacks on MS are indeed more prevalent and more widespread...my question is how Mozilla would the same issues and volume of possible attacks? Most likely not a whole lot better.

I fully agree with the last paragraph of your statement, having done developing myself. I'm plaing devil's advocate here: while I agree that MS should not have made Internet Explorer part of the OS, there is absolutely no proof that Mozilla could handle the bugs, flaws, or whatever you would like to call them any better.

[firefoxluva95]

The fact is Mozilla doesn't need to stand up to those attacks because it isn't built into the OS.

[JCPayne]

Facts are facts.... FF is Free doesn't have as large of a budget as M$ and yet it still nails the flaws quicker...... GO Firefox.... http://www.SpreadFireFox.com/

[JCPayne]

Facts are facts.... Correction.... Firstly FF is Free..... Also it doesn't have **as large** of a budget to work with as M$ and yet it still nails the flaws quicker...... I say GO Firefox.... http://www.SpreadFireFox.com/

[make_or_break]

Dunno about security flaws, but I had to revert back to 2.0.0.x because 3 was doing all sorts of unnatural things on one of my PCs (mostly session freezing). Thought the computer might've picked up something that was causing this, but haven't been able to detect any malware at all with any of the tools I have and other subsequent programs installed after FF3 was tried work fine.

[dribnif]

All I know is that after the update, all of my bookmarks (and bookmarks on my toolbar) were gone and I had to add them manually, trying to remember what they all were. I don't know if this is a FF thing or a Vista thing but it's suckety.

[acurapah]

Note Yahoo toolbar is not compatible with this firefox 3 update.

[macadato]

Firefox is the safest browser on earth.