Firefox Experiences Its Own 'Patch Tuesday'

The Mozilla Foundation yesterday urged users to download the latest security update to Firefox, its popular open-source Web browser.

Firefox 1.0.5 is a security update that addresses several bugs and makes improvements to the software's stability, according to Mozilla. In all, the new version addresses 12 vulnerabilities, including Javascript origin spoofing, content-generated event vulnerabilities and a possible exploitable crash in InstallVersion.compareTo.

Some of those bugs are "high risk" and could allow a malicious code writer to overtake a PC or expose a user's data. The Mozilla community's bug bounty program helped uncover some of the security holes. The bug finders each received US$500 and a Mozilla T-shirt.

How Vulnerable Are Users?

Michael Sutton, director of iDefense Labs, the company's vulnerability research arm, told LinuxInsider that the vulnerabilities were low- to mid-level critical. Of the 12 bugs, he said public exploit code is available for three of them. The availability of public exploit code increases user risk.

"There are three categories that all the exploits fall into," Sutton said. "One category includes issues like frame origin or cross-domain content injection. Those are the vulnerabilities that assist in phishing attacks. About half of the Firefox vulnerabilities fell into that category, at least one for which there was some public exploit code available."

Firefox also issued patches for denial of service attacks. However, analysts called these flaws less critical since the result of the attack is merely a browser crash.

The most serious issues were related to code or script execution. These flaws actually provide an avenue for malicious code writers to launch code on a user's machine when they visit a trusted Web site. Sutton said public code is also available for some of those vulnerabilities.

Firefox's Patch Tuesday

Firefox released its patches on infamous Patch Tuesday, Microsoft's (Nasdaq: MSFT) scheduled patch distribution day. The question, then, becomes which browser maker is more efficient in developing and distributing patches.

Microsoft's and Mozilla's approaches to distributing patches are about as different as their software development strategies. Microsoft's approach stores up patches to release once a month. Mozilla's approach is to release patches as quickly as possible.

Analysts said there are advantages and drawbacks to both strategies.

"Sometimes corporations are more comfortable with Microsoft's approach because they always know when patches are coming out and they can be prepared," Sutton said. "The downside to it is if there is a patch available on day one and the company is not releasing a patch until day 30 of the monthly cycle, then there's a long window of opportunity for something to go wrong."

With the latest Firefox update completed, Mozilla plans to release a new version of its Thunderbird e-mail client later this week. The organization also plans to release Firefox 1.1 in August or September, which will allow users to download the fixes.