Firefox 3.5.1 Patches a Critical Security Bug

The first update to 3.5 has launched ahead of schedule

By on 17 Jul 2009, 06:54 GMT
A critical security vulnerability in the latest Firefox 3.5 was disclosed a few days ago affecting the Just-in-Time (JIT) JavaScript compiler. The bug could be used by an attacker to execute malicious code if the users visited a site specially designed for this requiring no other interaction from them. Considering the potential damage, Mozilla didn't take long to release a patched version, Firefox 3.5.1, the first update since the new version came out.

Mozilla says the bug “could result in an exploitable memory corruption problem. In certain cases after a return from a native function, such as escape(), the Just-in-Time (JIT) compiler could get into a corrupt state. This could be exploited by an attacker to run arbitrary code such as installing malware.” The workaround that involved disabling the JIT compiler is no longer necessary in the latest version.

The bug discovery pushed 3.5.1 to be released ahead of schedule and the JIT compiler vulnerability is the only security issue resolved, but the latest version also includes some other bug fixes Mozilla developers were working on, like some stability problems and also an issue that made the browser have unusually long load times on some Windows machines.

Mozilla is urging all Firefox 3.5 users to upgrade and will also release 3.5.1 though its automated update system. All versions of Firefox 2 are no longer supported, have known vulnerabilities and should also be updated as soon as possible. Note that Google Gears 0.5.29.0, which brought compatibility with Firefox 3.5, is no longer working with 3.5.1.

“We strongly recommend that all Firefox 3.5 users upgrade to this latest release. If you already have Firefox 3.5, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting ‘Check for Updates…’ from the Help menu,” Browser Director Mike Beltzner writes in a blog post.

Firefox 3.5.1 for Windows can be downloaded here.
Firefox 3.5.1 for Linux can be downloaded here.
Firefox 3.5.1 for Mac OS X can be downloaded here.

Comments

Firefox 3.5.1 is now available for download
   Firefox 3.5.1 is now available for download