The second update to the latest iteration of Mozilla’s open source browser is now available for download. And although Firefox 3.6.3 could have in fact been the refresh that brought Firefox Codenamed Lorentz to users, fact is that the latest release is nothing more than a security update. With Firefox 3.6.3, Mozilla rushed to patch a Critical zero-day vulnerability for which a working attack was demonstrated at CanSecWest 2010’s Pwn2Own hack contest.
“A memory corruption flaw leading to code execution was reported by security researcher Nils of MWR InfoSecurity during the 2010 Pwn2Own contest sponsored by TippingPoint's Zero Day Initiative. By moving DOM nodes between documents Nils found a case where the moved node incorrectly retained its old scope. If garbage collection could be triggered at the right time then Firefox would later use this freed object,” Mozilla noted.
At CanSecWest, white hackers succeeded in owning Mac OS X and Windows 7 machines by exploiting vulnerabilities in Safari, Internet Explorer 8 and Firefox 3.6. The Windows 7 computer was hacked through a previously undisclosed memory corruption vulnerability (0-day), with the security researcher also bypassing 64-bit (x64) Windows security mitigations including Address space layout randomization (ASLR) and Data Execution Prevention (DEP).
“As part of Mozilla’s ongoing stability and security update process, Firefox 3.6.3 is now available as a free download for Windows, Mac, and Linux,” Mozilla’s Christian Legnitto revealed. “We strongly recommend that all Firefox users upgrade to this latest release. If you already have Firefox 3.6 you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting &ldsquo;Check for Updates…’ from the Help menu. All Firefox 3 and 3.5 users are strongly encouraged to upgrade to Firefox 3.6.”
Mozilla underlines that the 0-day vulnerability only affects Firefox 3.6 and does not represent a risk for users running earlier versions of the open source browser. However, a patch will also be offered for Firefox 3.5 in the next security and stability update for that version of the browser. Mozilla will not do the same for Firefox 3.0.x, as version 3.0.19 was the last update, with the successor of Firefox 3.5 having hit end of support at the end of March 2010.
Firefox 3.5.9 for Windows is available for download here.
Firefox 3.5.9 for Mac OS X is available for download here.
Firefox 3.5.9 for Linux is available for download here.
Firefox 3.0.19 for Windows is available for download here.
Firefox 3.0.19 for Mac OS X is available for download here.
Firefox 3.0.19 for Linux is available for download here.
Firefox 3.7 Alpha 3 / Mozilla Developer Preview of Gecko 1.9.3 Alpha 3 for Windows is available here.
Firefox 3.7 Alpha 3 / Mozilla Developer Preview of Gecko 1.9.3 Alpha 3 for Mac OS X is available here.
Firefox 3.7 Alpha 3 / Mozilla Developer Preview of Gecko 1.9.3 Alpha 3 for Linux is available here.