Mozilla patches Firefox 4


The most important of the bugs was a programming lapse that left Firefox 4 open to less-sophisticated attacks.

"The WebGLES libraries in the Windows version of Firefox were compiled without ASLR protection," stated the advisory labeled MSFA 2011-17. "An attacker who found an exploitable memory corruption flaw could then use these libraries to bypass ASLR on Windows Vista and Windows 7, making the flaw as exploitable on those platforms as it would be on Windows XP or other platforms."
The WebGLES graphics libraries support WebGL, an open-source extension to JavaScript that lets developers render interactive 3-D graphics content.
WebGL is supported in shipping versions of Firefox and Google's Chrome, in a preview build of Opera Software's Opera, and will be backed by Safari in its next upgrade.
The Khronos Group, an industry consortium whose members include Mozilla, Google, Opera and Apple, released the final specification of WebGL 1.0 just last month.
ASLR, or address space layout randomization, is one of the security underpinnings of Windows Vista and Windows 7. It's designed to make it more difficult for attackers to locate addressable memory space that can be used to execute exploits.
"The WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions," Mozilla acknowledged. "WebGL was introduced in Firefox 4; older versions are not affected by these issues."
Mozilla credited a researcher who goes only by his first name, "Nils," for reporting the ASLR oversight. Nils may be best known for his work at the annual Pwn2Own hacking contest, where in 2009 he exploited Internet Explorer, Firefox and Safari in short order to win $15,000 in cash awards.
At 2010's Pwn2Own, Nils won $10,000 by sidestepping ASLR and DEP (data execution prevention), another anti-exploit technology found in Windows, to hack Firefox 3.6.
Mozilla also upgraded older editions of Firefox to 3.6.17 and 3.5.19, noting that the latter was the last security update for the aged browser.
"This is the last planned security and stability release for Firefox 3.5," said Christian Legnitto, who overseas Firefox releases. "All users are encouraged to upgrade to Firefox 4."
The support expiration for Firefox 3.5 will affect a minority of Mozilla's users: As of the end of March, just 1.7% of all users worldwide were running the browser, according to statistics from Web metrics company Net Application.
Browser wars :

* Mozilla patches Firefox 4, fixes programming bungle
* Google patches 27 Chrome bugs, pays out record bounties
* FTC calls out Google's Chrome over Do Not Track
* Microsoft to push IE9 via Windows Update next week
* Browser rivals mock Microsoft's 'native HTML5' claims
* Mozilla kicks off Firefox 5, faster release schedule
* Windows Vista: No IE10 for you
* Microsoft quickens browser pace with IE10, goes for annual upgrades
* Mozilla shoots for June 21 release of Firefox 5
* Users find IE9 upgrade in Windows Update

Users can update to Firefox 4.0.1 by downloading the new edition -- which runs on Windows, Mac and Linux -- or by selecting "Check for Updates" from the Help menu in the browser. Firefox 3.6 and 3.5 users can obtain their newest versions with the update tool.

source : http://www.computerworld.com/s/article/9216294/Mozilla_patches_Firefox_4_fixes_programming_bungle?taxonomyId=17&pageNumber=1

thanks for visitting kumpulan tutorial komputer

 
Copyright 2010 News Tutorials. All rights reserved.
Themes by Ex Templates Blogger Templates l Home Recordings l Studio Rekaman