Sunday, July 27, 2008

Firefox 3.0.1 Is Available for Download

Mozilla assured as early as the past week that the first security and stability update for Firefox 3.0 would be available for download on July 16, and it looks like it lived up to its promise. Although official confirmation has yet to be made available, Firefox 3.0.1 is already up for grabs, one day following the release of Firefox, and almost one month since Firefox 3.0 went live and reached the 8 million downloads milestone in the first 24 hours. Version 3.0.1 is the step Mozilla takes toward focusing exclusively on Firefox 3.0.

The first issue deals with a "remote code execution by overflowing CSS reference counter". According to Mozilla, "The vulnerability was caused by an insufficiently sized variable being used as a reference counter for CSS objects. By creating a very large number of references to a common CSS object, this counter could be overflowed which could cause a crash when the browser attempts to free the CSS object while still in use. An attacker could use this crash to run arbitrary code on the victim's computer."

The second security hole plugged with the release of Firefox 3.0.1 involves "command-line URLs launch multiple tabs when Firefox not running". Mozilla revealed that despite the Critical rating, this vulnerability is mitigated by limited privileges. However, in combination with a script injecting flaw, the vulnerability can permit an attacker to execute arbitrary code on a vulnerable system.

Firefox 3.0.1 is designed to fix two security vulnerabilities, both labeled with a maximum severity rating of critical. Not through a coincidence, the pair of security flaws are the very same that Mozilla patched on July 15 in Firefox is set in stone at this point in time, but with Mozilla' looking to phase out support for Firefox 2.0 by mid-December 2008, Firefox 3.0.1 is considered as a candidate for a major update rollout. In this context, Firefox 3.0.1 might be the version of the open source browser that will get pushed to all users of Firefox 2.0 automatically. "Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008. All users are encouraged to upgrade to Firefox 3," said Samuel Sidler, Quality Assurance Engineer at Mozilla.

Firefox 3.0.1 for Windows is available for download here.
Firefox 3.0.1 for Linux is available for download here.
Firefox 3.0.1 for Mac OS X is available for download here.