Mozilla Patches HTML5 Bugs In Firefox 9

It continues to be a busy period for Mozilla after it released a software update less than a day after it released its latest version of the Firefox browser.

Mozilla patched six Firefox vulnerabilities in the new Firefox 9, which it officially released on 20 December. Four of the issues were rated “critical,” and the remaining two were rated “high” and “moderate.” Mozilla also released Firefox 9.0.1 on 21 December to fix a bug that was causing the Mac version of the popular browser to crash.

Bug Fixes

Two critical patches addressed HTML5 security in Firefox, the Thunderbird email client and SeaMonkey, an all-in-one suite that combines a web browser with email, newsgroups, feed and chat clients. Mozilla fixed a bug that caused applications to crash when an OGG <video> element was scaled to “extreme sizes,” according to the 2011-58 security advisory. The other issue was an out-of-bounds memory access flaw in how Mozilla implemented SVG in these applications, according to the 2011-55 advisory. This flaw was reported by HP Tipping Point’s Zero Day Initiative.

“One problem that was pointed out by various people is the fact that the addition of the <video> and <audio> tags requires the inclusion of respective file format parsers in the browser. These parsers have been known in the past to be the source of various security issues,” said Johannes Ullrich, of SANS Institute’s Internet Storm Centre.

Another critical patch addressed 23 memory bugs that developers found and fixed in the core browser engine. Mozilla said these bugs couldn’t be exploited in Thunderbird and SeaMonkey because scripting is disabled, but posed a potential risk in the Web browser. They do not affect the browser engine being used in versions before Firefox 4.

“Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla wrote in the 2011-53 security advisory.

Automatic Updates

Firefox 9 still does not have the “silent update” mechanism that Mozilla promised in the summer of 2010. Silent updates are now expected in Firefox 12, due in April 2012.

At the moment, Google’s Chrome Web browser is the only major browser that upgrades itself to the latest version without requiring any user interaction.

Microsoft announced this month it will also implement automatic updates for Internet Explorer.

Java Vulnerability

Mozilla also released Firefox 3.6.125 to fix the Java .jar vulnerability in the Mac OS X version of the browser that had been patched in September. Mozilla rolled out the new update because the original patch (2011-40) turned out to be incorrect. Firefox 3.6 was released in 2010 and is still being supported, even though Mozilla is encouraging users to move to newer versions that take advantage of the rapid-release schedule.

The vulnerability, which treats downloaded .jar files as fully featured “applications” instead of granting limited privileges as “applets,” was also in Mozilla’s Thunderbird email client and has been fixed in Thunderbird 3.1.17.

The company recently moved to a rapid development cycle, updating the Web browser every six weeks. Firefox 10 is scheduled for 31 January, 2012.

In this latest version, Mozilla optimized its SpiderMonkey JavaScript engine to generate native code more efficiently. Firefox 9 renders JavaScript between 16 percent and 36 percent faster than previous versions, Mozilla said, citing results from various JavaScript benchmark test suites.

Firefox 9’s interface Mac OS X 10.7 has been tweaked to support Mac OS Lion’s two-fingered swipe gesture for navigating backward and forward through already-viewed pages and sites. The Android version’s interface has also been revamped.