Security flaws fixed in Firefox update

Mozilla has released a new version of its Firefox browser containing critical security updates. Version 1.5.0.1 of the browser, released Wednesday, also contains a number of “stability” fixes to address problems causing the browser to gum up the performance of some systems.

Wednesday’s release marks the first time Mozilla developers have used the product’s new automatic update mechanism, which was introduced with version 1.5 of the browser.

By Thursday, some users were complaining on online forums that they had not been automatically notified of the software updates, as expected. But this delay is happening because Mozilla is staggering the updates to prevent its servers from overloading, according to Mike Schroepfer, vice president of engineering with Mozilla.

Before Wednesday’s software release, the updating service had been tested with about 500,000 early testers and it worked fine, Schroepfer said. “There’s no need to panic,” he said. “I have high confidence that [all users] will get the update.”

The new release’s eight security fixes have been cumulatively been rated as “highly critical,” by security firm Secuina, because some of them could theoretically be exploited to take over an unpatched PC.

However, this risk is mitigated because there is no known code in circulation that exploits any of the bugs, according to Schroepfer. “They’re all things we’ve found internally,” he said.

As of Thursday morning, Firefox users had downloaded about 10 million updates and Schroepfer estimated that another 10 million to 15 million were to come.

Though the new release is not supposed to break any of Firefox extensions, some users had reported problems with some of these add-on programs. Marc Orchant, a blogger and marketing executive with VanDyke Software, said that the update broke four of the 20 extensions he uses.

By Thursday morning, two out of his three PCs running Firefox had updated, and Orchant was generally pleased with the experience. “Both of them updated without incident,” he said “and it did a very nice job of telling me which extensions it was breaking for me.”

Orchant was also impressed that Mozilla developers had taken steps to address memory leak problems that were causing his browser to consume as much as 200M bytes of system resources, at times. “They appear to have fixed the most significant memory leaks,” he said. “It seems to be hovering at the 45M byte range now.”

Also on Thursday, Secunia warned of a “moderately critical” bug in the way Mozilla’s Thunderbird e-mail client processes e-mail that uses the JavaScript Web programming language. Users are advised to disable JavaScript and to be careful about opening e-mail from untrusted sources, to avoid any associated problems, Secunia said.