Mozilla Updates Firefox 16.01 after Snafu
Two releases in one week for Mozilla as the open source browser vendor rapidly responds to potential security risk.
The simple reality of modern software development is that security vulnerabilities will always be found. The true measure of security isn't just about finding vulnerabilities, but also about how fast you respond to them. It's a measure that browser vendors understand better than most.
On Tuesday, Mozilla released Firefox 16, fixing at least 14 different security vulnerabilities, 11 of which were rated as critical. While the Firefox 16 patch load was non-trivial, it wasn't complete. Mozilla somehow missed at least four additional vulnerabilities.
Mozilla officially acknowledged the additional flaws late Wednesday and issued the Firefox 16.01 update on Thursday afternoon.
"Since discovery of the issue yesterday, our first priority has been to protect our users," Jonathan Nightingale, senior director of Firefox Engineering, wrote in an email to eSecurity Planet. "Today we've delivered an update for Firefox that resolves the vulnerability completely."
The two core flaws dealt with in Firefox 16.01 are CVE 2012-4193, titled "Lack of security check for [[DefaultValue]]" and "CVE 2012-4192 Cross domain access to the location object."
"Mozilla security researcher moz_bug_r_a4 reported a regression where security wrappers are unwrapped without doing a security check in defaultValue()," Mozilla warned in its advisory. "This can allow for improper access access to the Location object."
As it turns out, those two flaws also affect the Firefox ESR (Extended Support Release), which is intended for enterprise usage. As such, Mozilla is also releasing a Firefox ESR 10.09 update to fix the issue.
Firefox 16.01 also fixes an additional two flaws that Mozilla has grouped together under the title "Miscellaneous memory safety hazards."
"Mozilla developers identified and fixed two top crashing bugs in the browser engine used in Firefox and other Mozilla-based products," Mozilla warned in an advisory. "These bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code."
The quick Firefox 16.01 update is not the first time in recent memory that Mozilla has had to quickly push out an update for an update, though typically not this fast.
While Mozilla earns points for rapid response, it's not entirely clear at this point if Mozilla could or should have noticed and fixed the additional flaws in the original Firefox 16 release.
Nightingale stressed that Mozilla analyzes every security issue to understand its root causes.
"That work is already underway, and one early result is a set of new automated tests to ensure this problem never happens again," Nightingale said. "These tests are up and running alongside hundreds of thousands of others that regularly check the quality of every Firefox build."
Mozilla isn't the only browser vendor out with a rapid update this week. Google pushed out a Chrome update within 24 hours of being alerted to a new vulnerability. Google Chrome Stable 22.0.1229.94 was released on Wednesday, fixing a critical flaw discovered by the security researcher known only as Pinkie Pie.
Pinkie Pie's bug was actually solicited by Google as part of the Pwnium 2 hacking challenge. Pinkie Pie was the winner of the first Pwnium challenge earlier this year as well. This time out, the My Little Pony-loving security researcher earned $60,000 dollars in reward money for a flaw Google details as "SVG use-after-free and IPC arbitrary file write."