Establishing Digital Trust: Don't Sacrifice Security for Convenience
Mozilla is updating its Firefox Web browser with new technology that is targeted at making the open source browser more stable. The Firefox 3.6.4 release also includes fixes for four critical security vulnerabilities.
Firefox 3.6.4 is the first Firefox update in the Lorentz branch of Firefox development, which adds new features to incremental point updates of the browser. Typically, point updates in the Firefox browser do not introduce new functionality, but rather are built to address bug and security issues. The Firefox 3.6.3 release came out in April in response to a reported security vulnerability from the Pwn2own hacking competition.
"Results from our beta testing show Firefox 3.6.4 will significantly reduce the number of Firefox crashes experienced by users who are watching online videos or playing games," Mike Beltzner, Mozilla's director of Firefox, wrote in a blog post. "When a plug-in crashes or freezes while using Firefox, users can enjoy uninterrupted browsing by simply refreshing the page.
The way crashes are reduced is through Firefox 3.6.4's out-of-process plug-in support. With out-of-process plug-ins, if a plug-in has stability issues or crashes it won't take down the whole browser, since the plug-ins run in their own process thread. The approach is similar to one taken by Google's Chrome browser.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The delivery of the out-of-process plug-in technology inside of the 3.6.x release cycle is part of Mozilla's Lorentz agile effort at more rapid releases. With the Lorentz approach, the idea was that the Firefox 3.6.x branch could be updated with features more rapidly and not break backwards compatibility with add-ons and plug-ins.
Not all plug-ins will run out-of-process in Firefox 3.6.4. Only Adobe Flash, Apple Quicktime and Microsoft Silverlight are being supported, with the aim of adding other plug-ins for future Firefox releases.
In addition to the crash protection provided by Firefox 3.6.4, Mozilla also has a plug-in checker service. With the Mozilla plug-in checker, which supports both Firefox and rival browser Microsoft Internet Explorer, users can ensure that they are running up-to-date plug-ins.
Firefox 3.6.4 also provides fixes for four critical security vulnerabilities. Among the flaws fixed are memory corruption, heap buffer overflow and integer overflow flaws. A critical security fix is also being made to how Firefox handles plug-in instances that were reported by Microsoft.
"Microsoft Vulnerability Research reported that two plug-in instances could interact in a way in which one plug-in gets a reference to an object owned by a second plug-in and continues to hold that reference after the second plug-in is unloaded and its object is destroyed," Mozilla stated in its advisory." In these cases, the first plug-in would contain a pointer to freed memory which, if accessed, could be used by an attacker to execute arbitrary code on a victim's computer."
With the Firefox 3.6.4 release now available, developers are continuing to work on the next generation Firefox 4 browser. Currently in alpha testing, the first Firefox 4 beta is targeted for release this month, providing improved performance, add-on and HTML5 capabilities.