From the 'Security in Obscurity' files:
With all the hype and excitement around the Firefox Aurora and the upcoming Firefox 5 release, it's important not to forget that Firefox 4 has never been patched.
That's about to change.
Firefox 4.0.1 is now available to beta testers (basically people that were running Firefox 4 Betas before it hit GA).
The release notes (as they currently stand) are quite sparse:
- Fixed several security issues.
- Fixed several stability issues.
No, Mozilla has not disclosed what those security issues might be and nor should they. The disclosure and advisories will not come until the Firefox 4.0.1 release is generally available. Mozilla does not want to put users at risk by revealing security details for items that most users have not patched for.
On the stability front, by my count there are at least 52 fixed bugs in 4.0.1 that will improve the stability of the open source web browser.
Among the stability fixes is Bugzilla entry #639885 "Crash [@ memmove ] via mozilla::layers::ReadbackManagerD3D10::ProcessTasks" Mozilla has labelled that bug as critical and I suspect that their could also have been the potential for memory corruption (and/or a use-after-free condition) as well.
Another similar flaw is detailed in Bugzilla entry #640901 which is another critical crash condition issue.
One other issue that caught my eye is Bug # 644012 "crash with an empty issuer name in SSL certificate, +leak fix [@ strcmp | AuthCertificateCallback(void*, PRFileDesc*, int, int)]"
Considering the grief of the Commodo SSL cert flaw last month, this flaw is particularly interesting (and critical).
According to the entry: "Firefox crashes when trying to access a HTTPS website with a certificate that does not contain the fields issuerName." Yes, that's a critical flaw and yes I strongly suspect that it will end up as a named security advisory as well.
Firefox 4.0.1 is not expected to become generally available until April 26th.
Original article by:
No comments:
Post a Comment