News

Mozilla ships Firefox 6; patches 10 major security holes

SearchSecurity.in Staff

Hot on the heels of Firefox browser’s previous update, Mozilla has released version 6 as part of the team’s rapid upgrade cycle. A total of ten security bugs have been patched, of which eight have a critical rating and two, a high rating, according to the Mozilla advisory.

    Requires Free Membership to View

The upgrade fixes several issues including several memory safety bugs, flaws related to unsigned scripts, heap overflows and issues with WebGL shaders, among others.

Although the change log features over 1600 changes, only the most serious have been addressed by Mozilla in its release notes. The memory safety bugs pertain to evidences of memory corruption under some conditions that may be exploited to run arbitrary code. These bugs are known to cause crashes in WebGL, JavaScript and Ogg reader, affecting Firefox versions 4 and 5.

Buffer overrun errors have been fixed in the WebGL rendering engine, which could cause a crash in the string class used to store the shader source code for overly long shader programs. Other fixes to WebGL include addressal of heap overflows in the ANGLE library used by Mozilla’s WebGL implementation.

Of the ten security bugs, two carry a high rating. These bugs are known to cause credential leakage using content security policy reports and cross-origin data theft. Of these, the first could lead to the incorrect resolution of hosts. The second bug could lead to image data from a domain read by another domain when using canvas and Windows D2D hardware acceleration.

Firefox 6 brings some new features to the table, which includes a new permissions manager that allows users to tweak permissions on a site-by-site basis. This feature can be used to modify settings like password capture and cookies on a per site basis. Firefox 6 also adds a JavaScript prototyping tool known as Scratchpad for developers.

A complete run-down of the security fixes can be found in this Mozilla Firefox advisory. The Mozilla team has also released security fixes for Firefox version 3.6, updating it to 3.6.20, the details of which are addressed in a separate security advisory.

Firefox 6 is available as an incremental update through a built in update engine for existing users of versions 4 and 5. It is also available as a stand-alone installer from the Mozilla website.