Mozilla Releases 1st Firefox 4 Security Update


Mozilla is now out with the first security update for their open source Firefox 4 Web browser.

Firefox 4.0.1 fixes 14 software vulnerabilities, across three separate security advisories. Mozilla has labeled 13 of the flaws as being critical, while one is rated as low impact.

The biggest category of fixed vulnerabilities in Firefox 4.0.1 are memory safety related issues, with 10 identified flaws.

"Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products," Mozilla warned in its advisory. "Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code."

The high impact category of flaws is in WebGL and its related WebGLES graphics library. Mozilla is providing three fixes for WebGLES flaws in the Firefox 4.0.1 update.

One of the WebGLES flaws isn't unique to Firefox and also affected Google's Chrome web browser. Chrome developers have been busy themselves, pushing out the Chrome 11 release earlier this week.

"Yuri Ko reported a potentially exploitable overwrite in the WebGLES library to the Chrome Security Team," Mozilla noted in its advisory. "We thank them for coordinating with us on this fix."

Google's Chrome Security Team also reported a low impact flaw that Mozilla is patching in Firefox 4.0.1.

"Chris Evans of the Chrome Security Team reported that the XSLT generate-id() function returned a string that revealed a specific valid address of an object on the memory heap," Mozilla warned in its advisory.

As opposed to the critical memory flaws that Mozilla is patching with the Firefox 4.0.1 release, the XSLT flaw will not lead to arbitrary code execution. According to Mozilla, the XSLT flaw could have been used by an attacker to help launch some form of memory corruption that could possibly make another attack more reliable.

The Firefox 4.0.1 release is the first update to Mozilla's browser since Firefox 4 debuted in March. Firefox developers are currently pushing forward on Firefox 5, which is targeted for release by the end of June.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.