Firefox 3.6.12 update fixes zero day vulnerability

Mozilla has issued a quick update for Firefox 3.6 to address a critical vulnerability discovered last Monday and announced in several sites the next day.

According to the bug report, a malicious web site is already attempting to exploit the vulnerability, making this a zero day kind of problem.

To fix this, click on Check for Updates… in the Help menu, and follow the onscreen instructions.

Firefox update with 14 security fixes available now

Mozilla has released a new update for Firefox 3.6. Firefox 3.6.9 features 67 bug fixes including patches for 14 security vulnerabilities, 10 of theme labeled as critical.

So you may want to update before even finishing this post: click on the Help menu, and select Check for Updates…

Now that you have updated, Firefox supports X-Frame-Options, a web server directive that tells the browser it should not load a web page if embeded in another one (through a <frame> or <iframe> tag). This will help prevent some kinds of clickjacking attacks.

Firefox 3.6.4 now available with out of process plugins

Firefox 3.6.4 has finally arrived, and as expected it brings added stability by making Adobe Flash, Apple Quicktime or Microsoft Silverlight plugins run on their own process, so if something goes wrong with them, your whole session will still survive and you will be given an option to reload the plugin.

While Silverlight, Flash, and QuickTime are supported out of the box as they were subject to intense quality control, you can actually run any plugin on its own process. You just need to know the name of the plugin library (which you get from about:plugins),

For example to have the Adobe Reader plugin running on its own process, create a boolean preference in about:config, name it dom.ipc.plugins.enabled.nppdf32.dll, set it to true, and restart. For Java, the preference must be named  dom.ipc.plugins.enabled.npjp2.dll, and so on.

Conversely, you can disable OOPP for enabled by default plugins by creating and setting their respective preference to false.

This update also includes fixes to four critical and a few other less severe vulnerabilities, so you are strongly encouraged to update right away. Just click on Check for Updates… in the Help menu.

Next version will be labeled 3.6.6, skipping 3.6.5, to synchronize version numbers with Firefox for mobile devices.

You can get more details in the release notes.

Firefox 3.6 about 30% more stable than Firefox 3.5

So if you haven’t updated yet, there goes another reason to do so now.

According to a report released by Ken Kovash from the Mozilla Metrics team, Firefox 3.6 has not only seen a 40% stability improvement since its initial release (from about 6.5 crashes for every 100 users, to around 2.5), but it has already surpassed 3.5 with all its updates since its initial release about 10 months ago.

Firefox crashiness by version over time

Continue reading Firefox 3.6 about 30% more stable than Firefox 3.5