Posts Tagged ‘extended support release’
Thursday, June 7, 2012 @ 02:06 PM gHale
Mozilla’s Firefox 13 and Thunderbird 13 releases close critical security holes in the open source browser and email client.
In addition, Mozilla also ported most of these fixes to the Extended Support Release (ESR) versions of both products.
Firefox 13 includes seven security fixes, four of them for critically rated vulnerabilities. Six of these security problems also affect Firefox ESR. The corrections fix a buffer overflow and a use-after-free problem found using the Address Sanitizer tool and several other memory safety issues. A critical privilege escalation vulnerability in the Mozilla Updater only affects the current edition of Firefox; the ESR edition remains unaffected.
The vulnerabilities and their fixes are mirrored in the Thunderbird 13 and Thunderbird ESR updates as the browser and email client share a large amount of rendering code.
Firefox 13 (release notes), Firefox ESR 10.0.5 (release notes), Thunderbird 13 (release notes) and Thunderbird ESR 10.0.5 (release notes) are available from Mozilla’s web site for Windows, Mac OS X and Linux.
Monday, April 30, 2012 @ 07:04 PM gHale
Mozilla released Firefox 12, which patches 14 security bugs in the browser and moves it one step closer to matching Chrome in silent updating.
The latest in the line of updates rolling off the Mozilla development line every six weeks since mid-2011, Firefox 12 fixed seven vulnerabilities labeled “critical,” the highest threat ranking in Mozilla’s four-step scoring, four bugs tagged “high” and three pegged “moderate.”
Mozilla also patched 19 other bugs, all critical, in the mobile edition of Firefox, which runs on the Android platform.
Among the 14 desktop vulnerabilities, Mozilla patched three that hackers could use in cross-site scripting (XSS) attacks, one that applied only to Windows Vista and Windows 7 PCs with hardware acceleration disabled and another in image rendering done by the WebGL 3D standard.
Two of the bugs ended up reported by security researchers at rivals Google and Opera Software. The Google engineer also notified Mozilla of all 19 vulnerabilities in the FreeType library that affected the mobile version of the browser.
Unlike Google, Mozilla does not call out bounties it paid to outside researchers for reporting vulnerabilities, even though Mozilla does have a reward program.
Mozilla did not explicitly say all the flaws were exploitable, but instead hedged with its traditional phrasing of, “We presume that with enough effort at least some of these could be exploited to run arbitrary code.”
Eleven of the 14 bugs also ended up patched in Firefox ESR, or Extended Support Release, the longer-lived edition designed for enterprises that don’t want to update workers’ machines every few weeks.
The current version of Firefox ESR is based on Firefox 10, which shipped in December 2011. ESR receives only security updates during its 54-week lifespan. The first iteration of ESR won’t change until November 2012, and will get support with security patches until early February 2013.
Meanwhile, Mozilla updated Thunderbird and SeaMonkey, but they introduced relatively few new features or changes.
In version 12 of the Thunderbird news and email client, the Global Search function now includes extracts of messages in its results, and RSS feed subscription and general feed handling have been improved. Changes in the 2.9 update to the SeaMonkey “all-in-one internet application suite” include adding the ability to resize the File and Move Bookmarks dialogs, fixes for HTML5 videos, and Download Manager improvements that allow users to download URLs pasted from the clipboard.
The updates to Thunderbird and SeaMonkey also remedy 13 vulnerabilities in each of the applications. Six of these are critical and originate in problems related to WebGL, OpenType Sanitizer, font-rendering with Cairo, gfxImageSurface, IBMKeyRange and miscellaneous memory safety hazards. Four of the remaining issues rate as “High” risk, while the three remaining bugs are “Moderate”. Further details of these fixes are in the project’s security advisories.
In the release announcement for Thunderbird, developers also remind users, like Firefox 3.6.x, the legacy 3.1.x branch of the application reached its end of life and that no further updates, including security updates and critical fixes, will be available for the series. All users should upgrade. Those who don’t want to upgrade to Thunderbird 12 can switch to Mozilla’s Extended Support Release (ESR), Thunderbird ESR, which just updated to version 10.0.4.
Tuesday, February 14, 2012 @ 03:02 PM gHale
Mozilla released Firefox 10.0.1, Firefox ESR 10.0.1, Thunderbird 10.0.1, Thunderbird ESR 10.0.1 and SeaMonkey 2.7.1 to fix a single critical security hole in the browsers and mail clients which appeared in version 10.
The security advisory said versions previous to Firefox 10, Thunderbird 10 and Seamonkey 2.7 are unaffected by the use after free problem.
Mozilla developers discovered the issue, which causes a “potentially exploitable” crash in nsXBLDocumentInfo::ReadPrototypeBindings.
Updates are available through Firefox, Thunderbird and SeaMonkey’s automatic update system and can also install by bringing up the “About” dialogue for the relevant application and selecting the “Apply Upgrade” button when it appears. Firefox and Thunderbird 10 released at the end of January.
The updates are also available for the new ESR (Extended Support Release) versions of the browser and email client, Firefox ESR and Thunderbird ESR which are currently in their “qualification” phase.