Mozilla Firefox, Thunderbird updated to ver. 7; critical bugs fixed

News

Mozilla Firefox, Thunderbird updated to ver. 7; critical bugs fixed

SearchSecurity.in Staff

Mozilla has updated Firefox and Thunderbird to version 7, addressing critical bugs and adding improvements. This is part of Mozilla’s fast track update program which releases an update every six weeks.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

In all, eight security vulnerabilities were fixed in Firefox 7, and five in Thunderbird. The Thunderbird flaws are common to both products. Mozilla rates vulnerabilities as critical if they can be exploited to run code and install software without any user interaction. (For a full list of vulnerabilities fixed: See sidebar).

The critical bugs shared with Thunderbird include a use-after-free flaw with OGG headers, a YARR regular expression library flaw that can potentially cause crashes, a code installation issue when holding down the ‘Enter’ key and miscellaneous memory safety hazards. One moderate bug has also been fixed in both products addressing Carriage Return/ Line Feed (CRLF) injections that cause multiple location headers.

The Firefox 7 patch also fixes three other bugs, two rated as critical and one moderate. One of the critical patches is for security vulnerabilities in Firefox’s WebGL engine, an issue that has become ubiquitous in every update to the product.

Firefox 7 sees renewed support for Websocket, a protocol that had been discontinued due to security issues. Websocket has been updated to version 8, which is not vulnerable to any known attack at present, according to Mozilla.

Apart from these, the major improvement in Firefox 7 is better memory management, the developers mention. Firefox 7 is touted to use 20-40% less memory, on an average, than its predecessor, thanks to Mozilla’s MemShrink project.

Firefox also changes the way HTTP and HTTPS address are displayed in the address bar to make it easier for users to distinguish between the two. If a website is using HTTP, the “http://” is suppressed as against websites using HTTPS, where the full address is displayed, a technique reminiscent of Google Chrome.

Firefox and Thunderbird can be downloaded from the Mozilla Project website. A full list of the vulnerabilities fixed in Firefox 7 can be found in this security advisory. The advisory for Thunderbird 7 can be found here.


You can follow our Twitter feed at @SearchSecIN