Firefox joins in security update whirlwind
Along with the recent updates to Microsoft's Internet Explorer, Apple's Safari fixes, and the latest Opera patches, Mozilla has released its own security updates for Firefox.
The Firefox updates include fixes for current versions to prevent JavaScript privilege escalation, cross-site scripting vulnerabilities, and other bugs that could be used to install and run malicious code.
“There are actually several different vulnerabilities being addressed across the products," Ben Greenbaum, senior research manager at Symantec Security Response, told SCMagazineUS.com on Wednesday. "Some are as minor as the ability to crash the browser, to as major as being able to run the code of choice on the victim's computer."
In all, eight security bulletins were released, three of which were labeled “critical”; another had a “high severity” rating, meaning it can be used “to gather sensitive data from sites in other windows or inject data or code into those sites.”
Also, Mozilla said that it is not planning any further security and stability updates for Firefox 2, and recommends that users “upgrade to Firefox 3 as soon as possible.”
This is not unusual, Greenbaum said. “Typically, software vendors will put a window of support on a product, and after that window expect the users to upgrade.”
The nearly simultaneous timing of the announcements from the major vendors seems to be a coincidence, experts said.
“All of the browser makers are aware that the browser has become the target of choice for the bad guys," Greenbaum said. "All of them are reacting to try to minimize user risk. There are no bulletproof browsers. This last couple of days demonstrates that. Every browser has faults that can be found.”
What about the future?
In the coming year, visiting websites will continue to present the largest exposure to potentially malicious content, he said.
“Attackers will continue to look for security vulnerabilities in browsers, and they are going to continue finding them," Greenbaum said. "And vendors are going to continue to release patches. Users should continue to apply those patches as soon as possible.”
