Firefox releases Version 5; five remote code vulnerabilities fixed

Mozilla delivered on its promise to have the Version 5 release of its browser ready by midwinter’s day, which takes place today in Australia – 22 June 2011.

The new version officially calls itself 5.0, but the Version 4 release is just three months old, and has had only one point update (to Version 4.0.1).

It looks as though Mozilla is simply copying Google’s Chrome version numbering system in order to seem more “with it.”

Chrome now increments the leftmost number in its version string with every release, which gives the impression that it is making faster progress than products which change their major version number less frequently. That’s good marketing, of course, but poor science by the observer. (Your car doesn’t really increase in speed by 60% when you switch the speedo from MPH to KPH.)

With Chrome already up to Version 12 (and 13 in beta), Mozilla clearly feels that lagging back at V4 for more than a few months would look tardy. V3 is now the previous version – the official page of “all older versions” lists V3.6.18, and that’s that.

As I’ve mentioned before, it’s no longer a simple matter, after updating Firefox to the latest version, to find out what’s changed. Even the trusty Releases page now only gets you as far as V4.0.

And before you update, there’s no easy way to find out what you’re letting yourself in for, either – except for the breathless claims that V5 has a new look, super speed, and even more awesomeness.

In case you’ve just updated and you’re wondering what’s changed, V5’s killer feature appears to be support for the Do Not Track feature on multiple platforms; it also “includes more than 1,000 improvements and performance enhancements that make it easier to discover and use all of the innovative features in Firefox”.

So if you’re looking for a conservative, low-risk, security-related update, this is not it. Since there is no V4.0.2, either, your only choice for a conservative change is to revert to V3.6.18.

If you’re committed to the new-style Firefox, and you want the latest security patches to V4.0.1, your only choice is to go to V5, which fixes five remote code execution vulnerabilities and three less serious faults.

The V5 critical fixes are:

* MFSA 2011-26 Multiple WebGL crashes
* MFSA 2011-22 Integer overflow and arbitrary code execution in Array.reduceRight()
* MFSA 2011-21 Memory corruption due to multipart/x-mixed-replace images
* MFSA 2011-20 Use-after-free vulnerability when viewing XUL document with script disabled
* MFSA 2011-19 Miscellaneous memory safety hazards (rv:3.0/

There is no security fix for V3.6, which stays at 3.6.18. I can’t help smiling at that, and wondering how many of the security fixes above were necessitated by code added since 4.0.1 to bring us those more-than-1000 enhancements and all that additional awesomeness.

My wish from Mozilla? For Firefox 6 (or 5.0.1, if there is one), please add one tiny extra step to the Check for updates button.

Let me preview a brief but informative list of security fixes I’m going to get (plus their significance), and a short list of anything which will look sufficiently different after Firefox restarts that I might scratch my head and think, “I wonder if that was supposed to happen?”

P.S.Yes, I’ve updated. I wanted the security fixes and I’ve found the FF4 code base usefully quicker. Nothing unexpected has happened to my settings, and it’s so far, so good. I’ve got 3.6.18 installed in parallel, just in case. But I had that before, anyway.

Firefox 4 gets its first security update

Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser’s first-ever security update. The Firefox version number bumps up to 4.0.1.

The update fixes 50-odd bugs in total, amusingly including three fixes listed as specific to OS/2. Ironically, the latest official release of the OS/2 port of Firefox, dubbed Warpzilla, hasn’t yet reached version 4 – it’s still back at version 3.6.8.

The release notes for Firefox 4.0.1 are hard to find from the main page. (Browsing to doesn’t help, as this just redirects to the Mozilla page.) But if you know where to look, you’ll find that two critical security advisories are fixed in the 4.0.1 release.

MFSA2011-12 deals with memory corruption bugs in the browser engine itself; Mozilla experts officially opined that “with enough effort at least some of these could be exploited to run arbitrary code”. MFSA2011-17 deals with “two crashes that could potentially be exploited to run malicious code” in a graphics library called WebGLES, used by Firefox.

Because the 4.0.1 update addresses vulnerabilities that are considered remotely exploitable, we advise you to apply this update without delay.

The previous version, Firefox 3.6, also gets an update, moving to 3.6.17. This update also squashes some critical bugs, including the MFSA2011-12 memory corruption vulnerability affecting Firefox 4.

Two other critical vulnerabilities which don’t affect version 4 are fixed.

MFSA2011-13 deals with various “dangling pointer” bugs (a dangling pointer is a programming mistake in which a memory reference remains in use after the memory it points to has been returned to the operating system for re-use). MFSA2011-15 deals with a privilege escalation bug in the Java Embedding Plugin.

The MFSA2011-15 vulnerability is specific to the Mac OS X version of Firefox. Apple users who imagine themselves invulnerable simply by virtue of their choice of operating system, please take note!

There’s an update to Mozilla’s Thunderbird email client as well. Thunderbird moves to version 3.1.10.

Somewhat confusingly, the Thunderbird release notes don’t list any critical vulnerabilities fixed in this version, but the MFSA2011-12 advisory specifically states that the bugs it covers are “fixed in Thunderbird 3.0.10”.

If you’re a Thunderbird user, we advise you, too, to update as soon as you can.

Busy Month for Apple

This month, Apple published seven security updates resolving around 250 issues. The last patch is arrived yesterday; it addressed Mac OS X 10.6.7.

Adding the CVE IDs (for Common Vulnerabilities and Exposures) listed in each patch does not give us accurate view of the number of vulnerabilities involved. Several appear in more than one patch: For example, CVE-2011-0191 and CVE-2011-0192 are listed in five patches (Apple TV 4.2, iOS 4.3, iTunes 10.2, Mac OS X v10.6.7/Security Update 2011-001, and Safari 5.0.4).

After eliminating multiple entries, we discover that the 256 March issues are linked to 123 CVE references. Taking a look at 2010, we see 468 CVE covering the whole year. And I have not forgotten the one in January 2011.

CVE-2006-7243 is the oldest vulnerability covered by the 2011 patches. All others are from 2010 and 2011. Here’s what we’ve seen in the last 15 months:

  • 1 CVE from 2003 (CVE-2003-0063)
  • 2 CVE from 2006 (1 in Q1 2011)
  • 11 CVE from 2008
  • 68 CVE from 2009
  • 428 CVE from 2010 (41 in Q1 2011)
  • 82 CVE from 2011 (all covered in 2011)

Is it possible to make a comparison between Apple and Microsoft?

During the same period (from January 2010 to March 2011), Microsoft published 123 security bulletins and patched 298 software flaws (CVE).

We can quickly compare by the level of criticality. On the Apple side for 2011, only one vulnerability has a low rating. All the others (123) were named as critical (by Vupen) or highly critical (by Secunia). On the Microsoft side one vulnerability was labeled moderate, 20 important, and eight critical.

Thus in the last 15 months Apple has corrected twice the number of flaws as Microsoft.