Network News

X My Profile
View More Activity

Firefox Update Mends 8 Security Flaws

Mozilla has issued an new version of its Firefox Web browser to fix multiple security holes, at least one of which appears fairly serious. The new release updates version 1.5; if you're using this version (check and see by selecting "Help" from the top menu, and then "About Mozilla Firefox"), you should grab the latest version from here.

Updates also are available for the Mozilla Suite (version 1.7.12 and prior), Mozilla Thunderbird e-mail client (version 1.5 and prior) and Mozilla SeaMonkey (versions prior to 1.0 ).

Capture_3

Update, 5:03 p.m. ET:This patch bundle is the first to show off the new updating mechanism built into Firefox 1.5. A short time after firing up Firefox on my laptop, I received a prominent notice in the middle of my screen that a new version of Firefox was available. This is a big improvement over the way older versions of Firefox notified users of available updates -- a tiny red arrow in the upper right section of the browser window that was way too easy to overlook or ignore.

As one reader already noted, if you are using Firefox 1.5, you don't need to re-install the browser to get this update. You can also get the update by clicking on "Help" from the Firefox pull-down menu and then clicking on "Check for Updates."

The new notification method also allows you to see firsthand whether any Firefox extensions you have installed might break after updating. My notification said the update would break two of my extensions. My guess is it will take just a day or two for the third party developers who manage these extensions to release updates that allow them to work with Firefox 1.5.0.1.

By Brian Krebs  |  February 2, 2006; 10:56 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Research: Buggy, Flawed 'ActiveX' Controls Pervasive
Next: Virus Naming Still a Mess

Comments

I was informed by Roboform's support representation that it will take Roboform a week to post an adapter compatible with the new version of Firefox that allows Roboform to be used within Firefox. Given how critical access to passwords and bookmarks is, that seems like a long time to wait. Of course, an (imperfect) workaround is to use IE for tasks requiring Roboform in the interim -- or, to wait a week before updating Firefox.

Posted by: Richard Boltuck | February 2, 2006 2:46 PM | Report abuse

Brian,

For those using Firefox 1.5, there is no need to download the whole browser again. Simply go to the Help menu and "check for updates".

I'm on a slow (46.6Kbps) dial-up connection and it took less than 2 minutes to download the update.

Unfortunately, the update "breaks" two of my extensions, both dealing with how tabs are handled. That's the price you pay for extensibility, I guess...

Posted by: Didius Falco | February 2, 2006 4:50 PM | Report abuse

I don't see any updates for Thunderbird 1.5 listed on Mozilla's site.

Posted by: William | February 2, 2006 5:39 PM | Report abuse

Firefox 1.5.0.1 is not incompatible with Firefox 1.5 extensions. We didn't change anything that would break extensions. Any extensions that are labeled as incompatible are the result of the extension author not labeling the extension properly to account for dot releases. If we do find ourselves in a position where it is necessary to break an extension to fix a critical security flaw, we will call that version Firefox 1.5.1.

- A

Posted by: Asa Dotzler | February 2, 2006 7:02 PM | Report abuse

Roboform is up and working already.

There is a tag in the extension XPI file which sets the max version that the extension will run under. Unfortunately, most extensions simply said 1.5 so 1.5.0.1 wasn't covered. It can be manually adjusted by the technically facile by decompressing the XPI file, changing the version number, and reinstalling the revised XPI file.

I suspect most will rework their files fairly quickly, but some extensions are not being maintained anymore and it may be awhile.

Posted by: Dave H | February 3, 2006 10:52 AM | Report abuse

An exploit for this has been released. So far it has only been tested on Gentoo Linux with the stock mozilla-firefox 1.5.0.0 package. It took almost 1 gig of padded code to overwrite the memory buffers and unleash the exploit code. Chances are this exploit will not work under Windows and perhaps not even under other Linux distributions. But it does prove the concept and other exploits may be released soon.

John Herron, CISSP
http://www.NIST.org

Posted by: John Herron | February 7, 2006 11:41 PM | Report abuse

Roboform was already compatible at the time of the release. It was a mere error in versioning as mentioned above by Dotzler. It does not break.

Posted by: wr | February 8, 2006 10:52 AM | Report abuse

As soon as I installed Firefox 1.5.0.1, I lost the ability to log in to AOL's free radio. I get an error message that says either my equipment or my browser is incompatible. Compatible browsers are listed as IE, Netscape and AOL versions (X) "and above" and Firefox 1.0 -- no "and above" for Firefox.

Posted by: Denis Drew | February 12, 2006 11:59 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company