Mozilla fixes Firefox holes, curtails clickjacking

September 8, 2010 3:00 AM PDT

by Stephen Shankland

Mozilla released two new versions of its browser on Tuesday, Firefox 3.6.9 and Firefox 3.5.12, to close 10 critical security vulnerabilities in each and to help Web site operators block a risk called clickjacking. Firefox 3.6.9 is also available from CNET for WindowsMac, and Linux

Critical vulnerabilities can let a remote attacker run arbitrary code on a computer. With Web browsers becoming both more important and more powerful, browser makers must constantly watch for new attack possibilities.

Firefox 3.6 also gets a new general approach to cut down browsing risks: support for what’s called the X-Frame-Options HTTP response header. Web site developers can use this technology to block browsers from showing their Web sites inside a frame–essentially a smaller window within the browser window. Putting a legitimate site inside a frame on a malicious site is one approach for attacks called clickjacking, in which the malicious site can capture keystrokes such as usernames and passwords.

For the new versions of Firefox 3.5 and 3.6, 9 of the 10 critical vulnerabilities are the same, but one problem on 3.5 is minor on 3.6, and one 3.6 problem didn’t affect 3.5. In addition, several noncritical security vulnerabilities were patched. Full details are available on the security pages for 3.6.9 and 3.5.12.

Mozilla also is racing to release Firefox 4 this year. It released a fifth Firefox 4 beta on Tuesday, adding support for some hardware acceleration on Windows, among other features.

However, not all the Firefox 4 hopes are coming to fruition. According to meeting notes published Tuesday, another feature slipped off the roadmap: a Firefox developer tool called the Inspector that would have made it easier to find details about elements on Web pages.

It also seems likely Mozilla won’t meet its Friday deadline for freezing the code base for the sixth beta–the last cutoff point for getting new features into Firefox 4. A week later, September 17, now looks more likely, according to the meeting notes.

Also updated Tuesday were the stable and beta versions of Google’s new Chrome 6 browser with the release of version 6.0.472.55 (WindowsMacLinux). This update fixes problems with autofill, which can enter data such as addresses and names into Web forms; the overwriting of the default search engine setting; and some issues with Chrome’s translation ability.

Originally posted at Deep Tech
Patch your browsers and keep safe on the web
Douglas Beard

About skicat56

Snow Sports Industry veteran – Husband – Father – Network IT Ninja & Former Powncer. Old enough to know better but young enough to start a new career.
This entry was posted in Firefox, Tips-n-Tricks and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s