Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release

Trailrunner7 writes "A month after an advisory was published detailing a new vulnerability in Firefox, Mozilla said it has received exploit code for the flaw and is planning to patch the weakness on March 30 in the next release of Firefox. Mozilla officials said Thursday that the vulnerability, which was disclosed February 18 by Secunia, is a critical flaw that could result in remote code execution on a vulnerable machine. The vulnerability is in version 3.6 of Firefox."

Re:1.5 months for a response and release?!

[bunratty]

The flaw was disclosed to Mozilla only recently (perhaps just a few days ago), and there is already a patched build available.

Re:1.5 months for a response and release?!

[wizardforce]

Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability.

A fix already exists, it's just not in the official release.

Re:What kept them?

[bunratty]

Because the vulnerability was not disclosed to Mozilla at first.

Re:Planning? It's not enough!

[Anonymous Coward]

RTFA. The fix is already there in beta version of Firefox 3.6.2. They're QA-ing it.

Re:Someone enlighten me

[marcansoft]

QA. New releases need to go through QA anyway to make sure they haven't botched anything up.

Usually the release process for a large piece of software requires a certain degree of human interaction (anywhere from light to extreme), and there's always the possibility that something will mess up, even if the bugfix itself is perfectly trivial or safe.

Re:Planning? It's not enough!

[maxume]

Are you being intentionally ridiculous?

The fix is in the latest beta release already, that binary is slated to be the release candidate, and if testing goes well, it will be the release.

Re:Planning? It's not enough!

[Athanasius]

As someone else already quoted:

Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability

You can already go and download that 3.6.2 beta [mozilla.org] if you want, I did.

The 'planning' is about the data of 3.6.2's release, not whether or not it will have this fix included.

Re:1.5 months for a response and release?!

[masmullin]

RTFS

March 30th.

Re:1.5 months for a response and release?!

[Anonymous Coward]

1) about:config
2) app.update.channel = beta

And join the beta testers :)

Re:1.5 months for a response and release?!

[BrokenHalo]

There is someone, somewhere that would likely fix it and recompile.

If you had taken the trouble to read the fine (and brief) article, you would be aware that the fix is already available in the release candidates.

Re:So this just shows, that you can't relax.

[TheRaven64]

(And even if your old CPU doesn't support the NX bit, DEP will work for you as they have a software emulation for it in the OS.)

Not true. The DEP code on machines without NX bit support in the page tables will only protect you from a certain category of attack involving Microsoft's Structured Exception Handling system.

Contrast this with the OpenBSD implementation, which uses the x86 segment protection mechanism to enforce W^X when the NX bit is not present.

Re:Someone enlighten me

[bunratty]

If the vulnerability were publicly (fully) disclosed, perhaps Mozilla would rush a fix out the door. As far as I know, there has been limited disclosure of the vulnerability to only a few parties, and I haven't heard that the vulnerability is being exploited.

Re:fixed...

[camperslo]

The 3.6.2 beta has worked fine for me, but those uncomfortable with that and not willing to wait can avoid the bug by using a 3.5x version. The vulnerability is only in 3.6 series releases.

Re:Updating... how to?

[Bambi Dee]

When I go to mozilla.com, a big green button offers me a .tar.bz2 with a distro-agnostic Firefox binary. Isn't that what you mean?