The first update to Firefox 3.6 has been released and is now available for download. Users of the latest iteration of Mozilla’s open source browser can grab the bits and push their browser version all the way to 3.6.2. Softpedia readers have already been informed that Mozilla planned to skip 3.6.1 altogether, and, in this regard, the release of Firefox 3.6.2 should come as no surprise. But Mozilla did stray from its initial plans. The releases of Firefox 3.6.2, Firefox 3.5.9 and Firefox 3.0.19 were synchronized and planned for March 30. Because it needed to fix a security vulnerability in version 3.6, Mozilla is now offering 3.6.2 earlier to users.
“As part of Mozilla’s ongoing stability and security update process, Firefox 3.6.2 has been released ahead of schedule and is now available as a free download for Windows, Mac, and Linux,” Mike Beltzner, director of Firefox, revealed.
Firefox 3.6.2 brings to the table a path for a Critical vulnerability disclosed by Evgeny Legerov of Intevydis. The flaw lay in a font decompression routine, Mozilla informed. “The WOFF [Web Open Font Format] decoder contains an integer overflow in a font decompression routine. This flaw could result in too small a memory buffer being allocated to store a downloadable font. An attacker could use this vulnerability to crash a victim's browser and execute arbitrary code on his/her system,” the browser maker said in a security advisory.
Interesting about this vulnerability is the fact that older versions of Firefox are not affected. The security flaw exists in a component introduced with the successor of Firefox 3.5. “Note: Support for the WOFF downloadable font format is new in Firefox 3.6; this vulnerability does not affect earlier versions of Firefox or other products built on the Mozilla browser engine,” Mozilla explained.
Firefox 3.6.2 was released in the second half of January 2010, with Legerov making public the WOFF heap corruption vulnerability about a month later. The flaw was included in the VulnDisco hacking tool, designed as an add-on to the Canvas penetration testing kit. Mozilla had to work extra to deal with the issue, since the flaw was unresponsively disclosed, gratuitously putting users at risk.
"If you already have Firefox 3.6 you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu," Beltzner added.
Firefox 3.6.2 for Windows is available for download here.