Mozilla releases Firefox security update

A security update for the Firefox open-source browser has been released by the Mozilla Foundation, a move that follows the public disclosure of exploit code for two "extremely critical" vulnerabilities.

Mozilla's Firefox 1.0.4, released Wednesday, addresses vulnerabilities that surfaced earlier this week. The update includes several security fixes, as well as a fix to DHTML errors that were encountered on some Web sites, according to a posting on Mozilla's Web site.

The update is designed to address the two flaws, which when combined could allow malicious attackers to engage in cross-site scripting and remote system access. Although the two vulnerabilities could be exploited, there were no known active exploits.

Security monitoring company Secunia had rated the flaws as "extremely critical."

The update means that people can safely install extensions from non-Mozilla sites, whereas before they were at risk because of the vulnerabilities, said Chris Hofmann, director of engineering for Mozilla.

Currently, Mozilla has the update out in 12 languages and anticipates sending it out in another 24 languages in the coming days, Hofmann said.

Since the debut of Firefox 1.0 in November, the browser has grown at a rapid pace, passing the 50 million download mark last month.

With its initial release last fall, the open-source browser has demonstrated to analysts that the mature Web browser market dominated by Microsoft's Internet Explorer can be shaken up. Microsoft's IE has begun to see its market share dip slightly--a first in a number of years.

Firefox held 6.8 percent of the domestic market share as of late April, while Microsoft saw its role dip to 88.9 percent, compared with more than 90 percent share last year.

The fast-paced growth of Firefox, however, is beginning to show signs of slowing, according to results released this week by WebSideStory.

[feranick]

not bad!

4 days to get the update?
Not bad at all!

[sanenazok]

yep

That's open source for you. Oh and they didn't get proper notice of the flaw (meaning 30 days).

[pcLoadLetter]

yar

actually 2 days, I have been running 1.0.4 since tuesday.

new update...

...and i've already gotten it

why?
because i spend my whole life worrying about how safe and secure my browser is

i check up on new updates every day
how fast i get it is a matter of life and death
'cause i won't know what to do if anything happens to my comp

perhaps once in a while i'll get a life

[nrlz]

public disclosure

Actually multiple exploits were reported to Mozilla on May 2nd, which was 1 week earlier. But they were kept secret while Mozilla was working on a fix. However, one of those exploits got leaked to the public on May 9th, which is the incident we all know about. Only after this "public disclosure" did Mozilla issue a fix in the form of Firefox 1.0.4 two days later.

So technically it was 9 days with 7 days of secrecy.

Earliest Bug Report: May 2
<a class="jive-link-external" href="http://bugzilla.mozilla.org/show_bug.cgi?id=292691" target="_newWindow">http://bugzilla.mozilla.org/show_bug.cgi?id=292691</a>

Leaked Bug Report: May 9
<a class="jive-link-external" href="http://bugzilla.mozilla.org/show_bug.cgi?id=293302" target="_newWindow">http://bugzilla.mozilla.org/show_bug.cgi?id=293302</a>

[M C]

It's almost as if they were working on it...

...before the vulnerabilities hit the "news."

Fantastic!

This is fantastic service! Please put some more extremely critical securiy flaws in your products so we can all be impressed with your fast turn around times.

[amadensor]

Still waiting

Still waiting for my update to IE. Using Win2K. Still out in the cold. I guess Mozilla beat them in that race even though MS had a couple of months head start.

[sanenazok]

Come join usssssss

In using the windows 2000 with spiffy eye candy bloatware. You'll find bliss once you embrace it.

[slapmaxwell]

Yeah, Right...Safe And Secure

How's about that...quite a lot of patches for a browser supposedly so safe and secure.

[hion2000]

Yet another blind critic......

Really, you're showing off your lack of insight.

Nobody said Firefox was secure. Nobody said Firefox was safe. Nobody is safe, and nobody is secure.

I'm guessing you never saw the word "more" when someone mentioned "more secure". Also, if you can read properly, the correct slogan is "SafER, fastER, bettER"

[skiracer712]

Not as many securtiy patches as IE

Or as Safari.

[wazzledoozle]

Why doesnt the Firefox updater work...

I can always check it to see if there are updates, but I can never download them. There has been one called "Saferfox" for a while now. Cant download it though.

Maybe its a bandwidth problem? They should make the updates hosted with bittorrent or some P2P system so that updates can actually be downloaded through Firefox.

[danonneus]

Firefox is better than IE refered to the secure

This the diferent between IE and Firefox, Firefox allway is more secure than IE, and more faster when it is necesary tu repair bugs.

<a href="http://www.daniel.prado.name/download-firefox.asp">
My Firefox home page
</a>