New Firefox Fixes Holes Ten Security Vulnerabilities Patches in v1.0.5 Jim Wagner
Officials at the open source Mozilla Foundation released an update for the Firefox browser late Tuesday.
Firefox 1.0.5 is the first update to the popular alternative browser since May 11, when the organization fixed three critical bugs to the Mozilla Update Web service. Firefox 1.0.4 was rushed out the door days after two of the flaws were published by an outfit called the Greyhats Security Group.
Chris Hofmann, Mozilla director of engineering, said the update addresses 10 security issues discovered in the Firefox code, as well as stability fixes to the browser. He said all the security vulnerabilities, which range from moderate to high to two that are "borderline critical," have no known exploits.
In addition to Firefox, officials plan to release updates to the Thunderbird e-mail application and Mozilla suite to correct the vulnerabilities addressed in the browser. Hofmann expects Thunderbird and Mozilla updates to be released Wednesday.
As officials pointed out, all three applications use a similar code base, so what affects one may very well affect the others.
The organization released the update the same day as Microsoft's monthly Patch Tuesday. One of the three fixes involved the software giant's Internet Explorer Web browser.
The Redmond, Wash., company released a patch to a critical vulnerability in IE versions 5 and 6 that took advantage of a weakness in the company's JView Profiler, the debugger interface for the Microsoft Java virtual machine (define).
Hofmann said most of the fixes in this latest version of Firefox came from the Mozilla community, helped by the organization's bug bounty program. The foundation rewards people who report a valid critical security bug with $500 and a Mozilla T-shirt.
The Mozilla chief engineer commented on the advantages of having an application in an open source environment over a proprietary product.
"We've got this open source community, where people can bring a number of different perspectives, where a commercial company really can't replicate that," Hofmann said. "They're paying all the people they have in the engineering staff and over time the way in which they look at the code has the potential to get stale."
