Earlier in November, Firefox surpassed 25 percent usage share of Web browsers, according to Net Applications.
(Credit: Net Applications)Mozilla released a third beta of Firefox 3.6 on Wednesday, adding stability and performance features, and said it hopes to lock down the code soon for its first release candidate.
The new beta, for Windows, Mac, and Linux, includes a component directory lockdown that makes it harder for other software to meddle with the open-source browser's state by preventing that software from sidling into the same folder as the browser's own components. The result should be fewer crashes, said Mozilla's Johnathan Nightingale in a blog post, and Firefox still is open to third-party extensions via its official add-on mechanism.
The change should improve security, too, added another Mozilla programmer, Vladimir Vukecevic, who wrote in his own blog post that Mozilla is considering bringing the change to Firefox 3.5, too.
"Creating binary components to interface with the operating system or with other applications is fairly straightforward, though ultimately dangerous. Binary components have full access to the application and OS, and so can impact stability, security, and performance," Vukecevic said.
Also in the latest beta of 3.6 is a feature that lets the browser run some Web-based JavaScript programs asynchronously, which is to say without being so picky about the order the scripts run. This can improve the speed that Web pages load, Mozilla said.
The biggest Firefox 3.6 feature most folks will notice is Personas, the reskinning add-on that's now being built in. More than 10 million Personas have been downloaded so far, Suneel Gupta and Myk Melez of the Personas team said Wednesday.
Mozilla is working to release a final version of Firefox 3.6 before the end of the year, and one sign the project is wrapping up is that the developers are locking down the features and changes that can be added into the release candidate 1. Code freeze for RC1 is scheduled for Wednesday but might be at risk, a Mozilla planning site said this week.
Firefox is steadily gaining in use. Last week, Web traffic monitoring firm Net Applications announced Firefox cleared 25 percent share of those using browsers worldwide--not dethroning Internet Explorer by any means but still winning over new users. Mozilla estimates there are more than 300 million Firefox users total, and this week said there are more than 300,000 testers using the Firefox 3.6 beta
Google's Chrome, meanwhile, is appealing to some of the same browser enthusiasts who were Firefox's first users. One of its big selling points is speed, and Google is working on other ways to make the Web faster, too. Chrome gives it a vehicle to test such ideas out in the real world, a strategy that Apple, Opera, and Firefox have employed to advance the Web state of the art.
One Mozilla programmer, Alexander Limi, revealed a speedup technology called Resource Package for Mozilla, too, on Tuesday. His proposal calls for bundling many Web page elements up into a single compressed file that can be retrieved in a single Web-page request action. Browsers are limited in the number of such actions they can take in parallel, so consolidating the interactions can make pages load faster. The approach is backwards compatible with existing browsers that don't support the feature, he added.
"If the feedback is good we're likely to try and get this implemented for Firefox 3.7," said Mozilla evangelist Christopher Blizzard in a blog post Tuesday.
Mozilla and Microsoft don't always see eye to eye when it comes to browser technology, but they agree broadly on one thing: thumbs down for Google Chrome Frame.
Chrome Frame is a plug-in that puts Google's browser engine under the hood of Microsoft's Internet Explorer, and Google argues that it can modernize IE versions 6, 7, and 8 with faster page loading and JavaScript performance. It kicks in only on Web pages that Web developers have labeled with a specific tag. After Google announced it, Microsoft criticized it as creating a potentially increased risk to browsing security.
Google Wave is one site that suggests IE users install Google Chrome Frame.
(Credit: Google)Mike Shaver, vice president of engineering for Firefox backer Mozilla, published a different concern in a blog post Monday night.
"I certainly share that longing for a Web in which the vast majority of Web users enjoy the performance and capabilities we see in Chrome, Safari, Firefox, and Opera. Unfortunately, I don't think that Chrome Frame gets us closer to that Web," Shaver said.
Specifically, Shaver said Chrome Frame can disable IE features and muddle users' understanding of Web security matters. And users of the reviled IE 6 browser, he added, often won't be able to run Chrome Frame anyway because their computer is locked down to prohibit changes or lacks sufficient power in the first place.
"As a side effect, the user's understanding of the Web's security model and the behavior of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit. It is a problem that we have seen repeatedly with other stack plug-ins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5," he said.
Shaver's advice is to rely on that ages-old technique: an upgrade suggestion on the Web site.
"It would be better for the Web if developers who want to use the Chrome Frame snippet simply told users that their site worked better in Chrome and instructed them on how to install it," Shaver said. "The user would be educated about the benefits of an alternate browser, would understand better the choice they were making, and the kudos for Chrome's performance would accrue to Google rather than to Microsoft."
Mozilla on Wednesday released two new versions of its browser, Firefox 3.5.3 and 3.0.14, that patch three critical security holes and fix assorted other bugs.
The updates can be fetched through the Help menu's Check for Updates option, or can be downloaded directly.
Although Mozilla still supports the 3.0 version, it's pushing people to the 3.5 version, and support for the 3.0 series will end in a few months. Version 3.5, released in June, supports a variety of new Web page technologies and includes a faster JavaScript engine for running Web-based programs.
Interested folks can read the release notes.
Mozilla updated Firefox to version 3.5.1 for Windows, Mac, and Linux on Thursday, fixing a security problem, improving stability, and speeding launch time on some Windows systems, according to the release notes.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," browser director Mike Beltzner said in a blog post Thursday.
Firefox 3.5 embodies Mozilla's hope to build a better foundation for Web applications, but about two weeks after its debut, a vulnerability in the browser's JavaScript engine came to light. Mozilla rated it "critical" because an attacker could create a Web site that would run malicious code on the computer.
The new version can be installed from Mozilla's download site or by selecting "Check for Updates" in the Help menu. Unfortunately, when I did so, the Firefox warned me that the newly updated Gears 0.5.29.0 plug-in from Google becomes incompatible again.
Update July 17 1 p.m. PDT: A patch to fix the Gears compatibility issue is under way.
There is a critical JavaScript vulnerability in the Firefox 3.5 Web browser, Mozilla has warned.
The zero-day flaw lies in Firefox 3.5's Just-in-time (JIT) JavaScript compiler. Proof-of-concept code to exploit the vulnerability has been posted online by a security research group, Mozilla said in a post on its security blog on Wednesday. Security company Secunia rated the vulnerability as "highly critical" on Wednesday.
The hole could allow a hacker to launch a "drive-by" attack, according to Mozilla. That means an attacker may be able to execute malicious code on a target machine, if the victim visits a Web site containing an exploit.
No patch is currently available, but Mozilla developers are working on a fix. A workaround suggested in the blog post is to disable the Firefox 3.5 JIT compiler. However, Mozilla warned this would result in decreased JavaScript performance in Firefox.
The JIT compiler is part of TraceMonkey, which was added to Firefox for its 3.5 update released at the end of June. TraceMonkey is meant to optimise the browser, which is faster than previous iterations of Firefox, according to Mozilla.
On Wednesday, the United States Computer Emergency Response Team said users and administrators should completely disable JavaScript functionality in Firefox 3.5.
The Sans Institute also said people could disable JavaScript, and suggested using NoScript, an open-source Firefox plug-in that only allows script to be executed by trusted Web sites.
Tom Espiner of ZDNet UK reported from London.
Updated at 11:32 a.m. PST with a summary of the bug fixes.
Mozilla released an update to Firefox 3 on Tuesday that patches 12 security vulnerabilities, four of which it rated as critical.
Firefox 3.0.9, the Web browser's third update this year, fixes two critical vulnerabilities in the Firefox browser engine and two in its JavaScript engine, according to a security advisory posted Tuesday:
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some of these could be exploited to run arbitrary code.
One critical security bug fixed crashes caused by memory corruption, which the developers felt could have been used at some point to run arbitrary code.
Two other high-profile bugs involved a misinterpretation of a particular Adobe Flash code that could have been exploited, and a URI mismatch that also could have led to arbitrary JavaScript executions. However, there's no evidence in the bugs that these security holes had been exploited.
AOL.com and AIM.com Web mail users should once again be able to view attached images inline and without hiccups. A bug created in Firefox 3.0.7 caused images to break where they had loaded properly in Firefox 3.0.6. Also, users who noticed previously stored cookies mysteriously disappearing should find that bug repaired.
The release comes as Mozilla prepares to release the fourth beta test of Firefox 3.5--the next version of the open-source browser. Mozilla had originally planned to release its new "Shiretoko" version of Firefox in early 2009. But after releasing Firefox 3.1 beta 3 last month, the organization behind the browser said a fourth beta is planned--and with the new version number, 3.5.
Expected changes in Firefox 3.5 include faster execution of Web-based JavaScript programs, a private-browsing mode, native support for the JSON (JavaScript Object Notation) technology for exchanging data between servers and browsers, and built-in audio and video abilities for bypassing Flash or other multimedia technologies.
In March, security-testing company Secunia reported that Mozilla had more vulnerabilities in its Web browser last year than Internet Explorer, Safari, and Opera combined, but that Mozilla dealt with those flaws more quickly than Microsoft did.
Meanwhile, Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 22.05 percent of the global browser market share, compared with IE's 66.82 percent, a drop of more than seven percentage points in a year, according to figures from Web metrics company Net Applications.
Updates for Windows, Mac OS X, and Linux are available at the Mozilla site. (Downloads in all languages are available here.) Firefox 3 users will receive an update notification within 48 hours, or they can download the update manually by selecting "Check for Updates" from the Help menu.
CNET's Seth Rosenblatt contributed to this report.
Correction and update:This post was updated at 1:53 p.m. with a corrected headline (the word "patched" was missing) and additional and winnowed information on the security holes.)
Mozilla published a critical security upgrade for Firefox Friday evening. Version 3.0.8 for Windows, Mac, and Linux fixes two security holes listed as "critical."
One patched an arbitrary code execution hole through an XUL element, and the other corrected an XSL stylesheet exploit. Both fixes patch crash-based security holes in which remote codes could have been run.
The release notes for Firefox 3.0.8 are available here.
Mozilla reported more vulnerabilities in its Firefox Web browser last year than Internet Explorer, Safari, and Opera combined, but Mozilla dealt with those flaws quicker than Microsoft, according to a new a report by vulnerability-testing company Secunia.
Firefox had 115 reported flaws in 2008, nearly four times as many as every other popular browser, and nearly twice as many as Microsoft and Apple combined, according to browser vulnerability research (PDF) released this week. In comparison, Microsoft reported 31 flaws in IE, Apple reported 32 in Safari, and Opera reported 30.
However, the report found that Mozilla was quicker to patch Firefox's flaws that were disclosed publicly without vendor notification compared with Microsoft. These "zero day" vulnerability disclosures contain information that can be used by attackers to write exploits for the flaw. The longer it takes vendors to release an update that repairs the vulnerability, the longer users of the browser are at risk.
Secunia reports that Microsoft took longer to fix two more serious flaws than Mozilla did with two less serious flaws.
(Credit: Secunia)Secunia reported six incidences in which Microsoft was publicly notified of browser vulnerabilities, two of which the security company labeled as "high" or "moderate" in severity. Meanwhile, Mozilla experienced three such occurrences, all of which Secunia labeled as "less critical" or "not critical."
Microsoft took 110 days to issue patches for the two most serious flaws, while it took Mozilla an average of 43 days to address its three flaws, Secunia reported. One of the IE vulnerabilities remained open for 294 days in 2008, according to the report.
The revelation comes as Mozilla released an update Wednesday to Firefox, its second in about a month. Mozilla developers said the update fixes six critical vulnerabilities found in Firefox 3.0.6, the most serious of which could allow attackers to run arbitrary code on a victim's computer.
Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 21.77 percent of the global browser market share, compared with IE's 67.44 percent, a drop of more than 7 percentage points in a year, according to figures from Web metrics company Net Applications.
Mozilla on Wednesday released an update to the Firefox Web browser that its developers said fixes eight security issues found in Firefox 3.0.6, six of which were rated critical.
The most serious of the vulnerabilities fixed in version 3.0.7 for Windows, Mac, and Linux could allow attackers to run arbitrary code on a victim's computer, Mozilla warned in security advisories Wednesday.
The six critical flaws affect the browser's garbage collection--which monitors how Firefox modules use the computer's memory--as well as the browser's PNG libraries and in the layout and JavaScript engines.
Mozilla developers said they weren't sure the layout and JavaScript flaws could be exploited.
"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code," Mozilla said in an advisory.
Updates for Windows, Mac OS X, and Linux are available at the Mozilla site. Firefox 3 users will receive an update notification within 48 hours, or they can download the update manually by selecting "Check for Updates" from the Help menu.
The update--Mozilla's second this year--comes as Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 21.77 percent of the global browser market share, compared with IE's 67.44 percent, a drop of more than 7 percentage points in a year, according to figures from Web metrics company Net Applications.
Mozilla has released updates to its popular Firefox browser, its Thunderbird e-mail client, and its SeaMonkey application suite, aiming to address highly critical security flaws that could expose users' sensitive information.
Users are advised to update to version 3.0.5 of Firefox, which was released Tuesday. They are also advised to update to version 2.0.0.19 of Thunderbird and version 1.1.14 of SeaMonkey.
The vulnerabilities were found in earlier versions of Firefox 3, as well as in versions of Firefox 2.
According to a research note released Wednesday by security researcher Secunia:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system.
- Errors in the layout and JavaScript engines can be exploited to corrupt memory and potentially execute arbitrary code.
- An error when processing the "persist" XUL attribute can be exploited to bypass cookie settings and uniquely identify a user in subsequent browsing sessions.
- Multiple errors can be exploited to bypass the same-origin policy, disclose sensitive information, and execute JavaScript code with chrome privileges.
One advisory addresses critical security flaws in all three programs (Firefox, Thunderbird, and SeaMonkey) that could arise from memory corruption and result in malicious attackers launching arbitrary code from users computers.
Mozilla also notes that another set of critical vulnerabilities in all three could redirect users from a legitimate site to a malicious one, where users' private data could be stolen. And a third set of critical flaws noted in all three could lead to the launching of arbitrary JavaScript within a different Web site.
