Mozilla Patches HTML5 Bugs In Firefox 9

It continues to be a busy period for Mozilla after it released a software update less than a day after it released its latest version of the Firefox browser.

Mozilla patched six Firefox vulnerabilities in the new Firefox 9, which it officially released on 20 December. Four of the issues were rated “critical,” and the remaining two were rated “high” and “moderate.” Mozilla also released Firefox 9.0.1 on 21 December to fix a bug that was causing the Mac version of the popular browser to crash.

Bug Fixes

Two critical patches addressed HTML5 security in Firefox, the Thunderbird email client and SeaMonkey, an all-in-one suite that combines a web browser with email, newsgroups, feed and chat clients. Mozilla fixed a bug that caused applications to crash when an OGG <video> element was scaled to “extreme sizes,” according to the 2011-58 security advisory. The other issue was an out-of-bounds memory access flaw in how Mozilla implemented SVG in these applications, according to the 2011-55 advisory. This flaw was reported by HP Tipping Point’s Zero Day Initiative.

“One problem that was pointed out by various people is the fact that the addition of the <video> and <audio> tags requires the inclusion of respective file format parsers in the browser. These parsers have been known in the past to be the source of various security issues,” said Johannes Ullrich, of SANS Institute’s Internet Storm Centre.

Another critical patch addressed 23 memory bugs that developers found and fixed in the core browser engine. Mozilla said these bugs couldn’t be exploited in Thunderbird and SeaMonkey because scripting is disabled, but posed a potential risk in the Web browser. They do not affect the browser engine being used in versions before Firefox 4.

“Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla wrote in the 2011-53 security advisory.

Automatic Updates

Firefox 9 still does not have the “silent update” mechanism that Mozilla promised in the summer of 2010. Silent updates are now expected in Firefox 12, due in April 2012.

At the moment, Google’s Chrome Web browser is the only major browser that upgrades itself to the latest version without requiring any user interaction.

Microsoft announced this month it will also implement automatic updates for Internet Explorer.

Java Vulnerability

Mozilla also released Firefox 3.6.125 to fix the Java .jar vulnerability in the Mac OS X version of the browser that had been patched in September. Mozilla rolled out the new update because the original patch (2011-40) turned out to be incorrect. Firefox 3.6 was released in 2010 and is still being supported, even though Mozilla is encouraging users to move to newer versions that take advantage of the rapid-release schedule.

The vulnerability, which treats downloaded .jar files as fully featured “applications” instead of granting limited privileges as “applets,” was also in Mozilla’s Thunderbird email client and has been fixed in Thunderbird 3.1.17.

The company recently moved to a rapid development cycle, updating the Web browser every six weeks. Firefox 10 is scheduled for 31 January, 2012.

In this latest version, Mozilla optimized its SpiderMonkey JavaScript engine to generate native code more efficiently. Firefox 9 renders JavaScript between 16 percent and 36 percent faster than previous versions, Mozilla said, citing results from various JavaScript benchmark test suites.

Firefox 9’s interface Mac OS X 10.7 has been tweaked to support Mac OS Lion’s two-fingered swipe gesture for navigating backward and forward through already-viewed pages and sites. The Android version’s interface has also been revamped.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

OpenAI In Talks With California Over For-Profit Shift

OpenAI reportedly begins early talks with California attorney general over complex transition from nonprofit to…

10 hours ago

EU To Assess Apple’s iPad Compliance Plans

European Commission says it will review Apple's iPad compliance with DMA rules as it seeks…

11 hours ago

James Dyson Says ‘Spiteful’ Budget Will Kill Start-Ups

James Dyson delivers most high-profile criticism so far of Labour's first Budget that raises £40bn…

11 hours ago

Nvidia, Meta Ask Supreme Court To Axe Investor Lawsuits

Nvidia, Meta bring cases before US Supreme Court this month seeking tighter limits on investors'…

12 hours ago

Nvidia To Replace Intel On Dow Jones Industrial Average

Nvidia to replace Intel this week on Dow Jones Industrial Average after years of turmoil…

12 hours ago

Toyota-Backed Joby Flies ‘Air Taxi’ In Japan

Joby Aviation and Toyota Motor complete demonstration flight in Shizuoka as companies prepare to bring…

13 hours ago