Mozilla patches Firefox 4, fixes programming bungle

Closes eight holes in new browser, including ASLR oversight

Mozilla on Thursday patched Firefox 4 for the first time, fixing eight flaws, including a major programming oversight that left the browser as vulnerable to attack on Windows 7 as on the 10-year-old Windows XP.

The company also plugged 15 holes in the still-supported Firefox 3.6, and issued its last security update for Firefox 3, which debuted in mid-2008.

Mozilla patched a total of 20 bugs in all versions of Firefox, 17 of them rated "critical," the company's top-most threat warning in its four-step scoring system.

Firefox 4.0.1, the first update to that browser since its March 22 launch, fixed seven critical flaws and one rated "low."

The most important of the bugs was a programming lapse that left Firefox 4 open to less-sophisticated attacks.

"The WebGLES libraries in the Windows version of Firefox were compiled without ASLR protection," stated the advisory labeled MSFA 2011-17. "An attacker who found an exploitable memory corruption flaw could then use these libraries to bypass ASLR on Windows Vista and Windows 7, making the flaw as exploitable on those platforms as it would be on Windows XP or other platforms."

The WebGLES graphics libraries support WebGL, an open-source extension to JavaScript that lets developers render interactive 3-D graphics content.

WebGL is supported in shipping versions of Firefox and Google's Chrome, in a preview build of Opera Software's Opera, and will be backed by Safari in its next upgrade.

The Khronos Group, an industry consortium whose members include Mozilla, Google, Opera and Apple, released the final specification of WebGL 1.0 just last month.

ASLR, or address space layout randomization, is one of the security underpinnings of Windows Vista and Windows 7. It's designed to make it more difficult for attackers to locate addressable memory space that can be used to execute exploits.

"The WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions," Mozilla acknowledged. "WebGL was introduced in Firefox 4; older versions are not affected by these issues."

Mozilla credited a researcher who goes only by his first name, "Nils," for reporting the ASLR oversight. Nils may be best known for his work at the annual Pwn2Own hacking contest, where in 2009 he exploited Internet Explorer, Firefox and Safari in short order to win $15,000 in cash awards.

At 2010's Pwn2Own, Nils won $10,000 by sidestepping ASLR and DEP (data execution prevention), another anti-exploit technology found in Windows, to hack Firefox 3.6.

Mozilla also upgraded older editions of Firefox to 3.6.17 and 3.5.19, noting that the latter was the last security update for the aged browser.

"This is the last planned security and stability release for Firefox 3.5," said Christian Legnitto, who overseas Firefox releases. "All users are encouraged to upgrade to Firefox 4."

The support expiration for Firefox 3.5 will affect a minority of Mozilla's users: As of the end of March, just 1.7 per cent of all users worldwide were running the browser, according to statistics from Web metrics company Net Application.

Users can update to Firefox 4.0.1 by downloading the new edition -- which runs on Windows, Mac and Linux -- or by selecting "Check for Updates" from the Help menu in the browser. Firefox 3.6 and 3.5 users can obtain their newest versions with the update tool.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags browsersGooglesoftwareapplicationsmozillaMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?