Newsletters

Select newsletters below and click the button to sign up!

Boston News NY News
DC News Internet Daily
SiliconValley News
InternetNews Business Report




Become a Marketplace Partner


Partner With Us


Internetnews Bloggers

Recent Entries

Archives

July 2009
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT



Firefox 3.5 zero-day flaw fixed in Firefox 3.6

By Sean Michael Kerner on July 16, 2009 9:56 AM
sr-firefox3.jpg
From the 'no that's not a typo' files:

On Tuesday, I wrote about the new critical 0-day flaw that is now publicly available for Firefox 3.5.  As of 10 AM ET today there is no publicly released fix for regular Firefox 3.5 users, but users of the next generation Firefox 3.6 browser are already covered.

Huh?

Mozilla staffer Daniel Veditz commented on the Mozilla security blog that the Tuesday nightly build of Firefox 3.6 had a fix in it for the critical JavaScript flaw. Firefox 3.6 currently has a pre-alpha build as well as a nightly build available that is updated (by definition) every night.
"It was checked in yesterday, a few hours _before_ we learned of the milw0rm posting," Veditz wrote. "This fix was going to be in the 3.5.x update we had scheduled for the end of July, but obviously now we have moved up the schedule for release."
Considering that the JavaScript attack has now been weaponized on Metasploit and there are millions of Firefox 3.5 users (likely not millions yet for the 3.6 nightlies) - the obvious questions to ask is why 3.6 first?

The obvious answer (in my opinion) is that the nightlies are not by definition the stable build so they are the right place to put a fix first. It gives testers a chance to test the fix before it gets pushed out to millions of user. It does however raise an interesting point.

Are Firefox 3.6 users now more secure than Firefox 3.5 users? And if I really want to be secure should I be running the nightlies instead of the stable release?

It's a tough question. The reason why the nightlies are the best place to put a fix first is because users don't expect the release to be stable. So while it might get the fix first, the overall release is not as stable for everyday use the general release. I suspect that we'll see the Firefox 3.5.1 release very soon (today or tomorrow) so the risk exposure window is still relatively small - but there is still a window.

I guess you can't really have your cake and eat it too.

| Comments (1) | TrackBacks (0) | Share

Tags:

0 TrackBacks

Listed below are links to blogs that reference this entry: Firefox 3.5 zero-day flaw fixed in Firefox 3.6 .

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8480

1 Comments

Mark said:


Or just install noscript in your 3.5 or go in about:config and set the
javascript.options.jit.content to false

July 16, 2009 9:36 PM

Leave a comment