It would appear that running any of 600 add-ons in Mozilla Firefox opens up a terrible hole. When exploited, this hole allows a hacker to steal "session information, including session cookies and session history". Mozilla promises a fix by February 5th, with the release of Firefox version 2.0.0.12. While Mozilla classifies this threat as a "high risk", there is some controversy in the hacker world as to how bad this threat really is. According to a hacker, via "hiredhacker.com", this isn't as big a problem as people have made it out to be. However, it is certainly more serious than "leaking a few variables", and should definitely be patched as soon as possible.

Mozilla, developer of the popular Firefox web browser, have launched a new related service, Weave. Currently available only as a test version associated with the latest Firefox 3 beta, it should allow users to carry history and bookmarks from one computer to another, as well as share the information with select friends and family; users need only to create a Weave account and download the add-on. To prevent the natural threat of privacy invasion, Weave accounts are password-protected, and encrypted. Weave will run on Windows and Linux systems as well as Macs.

Mozilla Corp. released the second beta of Firefox 3 late yesterday, several days earlier than it had planned. Last week, Mike Beltzner, Mozilla's interface designer, pegged Firefox 3 Beta 2's tentative release at midafternoon on Friday, Dec. 21. Last night, however, after announcing that the beta was finished and ready to download, Damon Sicore, Mozilla's director of platform engineering, said, "We shipped three days ahead of schedule, only 31 days after Beta 1!" In a post to the mozilla.dev.planning forum today, Beltzner touted several improvements in Beta 2 over November's predecessor, including better protection against cross-site JSON (JavaScript Object Notation) data leaks, and a new "effective top-level domain" (eTLD) service that puts tighter control on site-specific content such as cookies to stymie privacy hacks and session hijacking.

Apparently, the Firefox crowd needs to raise awareness of what exactly Firefox does. A high school student was doing his assignments using the internet browser, and got this note home from the teacher...

To the Parent(s)/Guardian(s) of [Redacted], Grade 11

This is to inform you [Redacted] has been assigned a(n) Detention.

Today in class [redacted] had a program launched called Foxfire.exe [sic]. I had told [redacted] to close the program and to resume work but he told me that it was just a different browser and that he was doing his work. I had given him two warnings but he insisted that it was just a 'better' browser and that he wasn't doing anything wrong. I had then issued his detention

The teacher who issued this letter is proof that Firefox simply needs to step up their advertising campaign. The teacher that issued this detention had no idea how to even spell the program name, let alone what it did. Granted, the teacher probably gave this detention out of safety protocol. After all, if you saw a foreign program running on a lot of expensive computers you didn't own, wouldn't you want it out of your systems?

Jeff Jones, Security Strategy Director at Microsoft's Trustworthy Computing Group, following his recent report putting Windows Vista ahead of Linux and Mac OS X for security, has now placed Internet Explorer ahead of the open source Firefox browser in a long-term comparative study. According to his analysis, fewer security vulnerabilities needed fixing in Internet Explorer than in the competition. Jones explains in his report Browser Vulnerability Analysis (PDF), that Mozilla has fixed 199 security vulnerabilities since November 2004, when Firefox first appeared, of which 75 were critical, 100 medium and 24 of low importance. Over the same period, a total of 87 security vulnerabilities were fixed in Internet Explorer, of which 54 were critical, 28 medium and 5 of low importance. He also notes that security updates are currently only being released for version 2.0 of Firefox, while Microsoft provides full support for earlier versions of Internet Explorer.

After releasing the 2.0.0.10 update for its Firefox browser on Tuesday this week, Mozilla has quickly issued another update to take Firefox to version 2.0.0.11. The latest update fixes a stability problem that was found in the 2.0.0.10 release, and it is recommended that all Firefox users update to this patch to prevent any potential problems. The release notes are available here, and the patch can be downloaded either using the Help menu in Firefox or by visiting Mozilla's download page.

Firefox 2.0.0.10 is now available for download. This version patches three security holes in the world's second most-popular browser. The first bug is a cross-site scripting flaw in the jar: URI scheme, which may allow an attacker to steal private information (a proof of concept has been published demonstrating how the contacts of logged-in Gmail users can be stolen). Firefox 2.0.0.10 also fixes three stability bugs, which could be exploited to corrupt memory and potentially execute arbitrary code. The final issue relates to a race condition when setting the window.location property, which could be used to spoof a HTTP Referer header. The release can be downloaded from the Mozilla Firefox product page. More information about the new version can be found in the Firefox 2.0.0.10 release notes.

Ever since Firefox 3.0 Beta 1 was released to the public, people have been wondering whether or not memory usage was any better. An independent tester decided to take it upon himself to investigate. Running a Windows Vista Home Premium system with 2GB of RAM that had never had Firefox installed on it before, the man put each browser under three different testing scenarios (that were equivalent between the two systems). First, he loaded five web pages into the browser. Then, he loaded a single page and let the browser idle for 10 minutes. Finally, he loaded 12 pages and waited five minutes. The results are very interesting.

Firefox 2.0.0.9 used 35,640KB of RAM on the first test, 47,852KB on the second test, and a staggering 103,180KB on the last test. Firefox 3.0 Beta 1 at first did not seem to be doing much better, using 38,644KB and 63,764KB of RAM on the first and second tests, respectively. However, on the final test, Firefox 3.0 Beta 1 required only 62,312KB, over 40,000KB less than what Firefox 2.0.0.9 required. For comparison, Internet Explorer 7 used 89,756KB on the final test. Please check out the source link for screenshots and more detailed test results.

Mozilla plans to release a bug fix for its Firefox browser next week, repairing a long-standing security flaw in the software. The 2.0.0.10 update is in testing right now and should be released to the public next week, following the Thanksgiving holiday in the U.S. "We are giving it a couple of days to make sure that there are no issues found and we'll release it after Thanksgiving," said Mike Schroepfer, Mozilla's vice president of engineering. The issue that is to be fixed was first reported last February by Jesse Ruderman, but it gained widespread attention earlier this month when researcher Petko Petkov pointed out on his blog that the flaw could be used to launch a cross-site scripting attack against the Firefox browser. The flaw has to do with the fact that Firefox does not properly check files that are compressed using the .jar (Java Archive) format. Attackers could sneak malicious code into the Jar-compressed documents, which would then be run by the victim. Mozilla also published today the first beta of Firefox 3.

The Mozilla Corporation yesterday released Firefox 3 Beta 1, which is now available for download in a variety of languages. The beta includes updates to the default theme, the new places site management features, improved security architecture, and Gecko 1.9. Release notes with a more complete list of features, are also available.

Mozilla Corp. will fix just 20% of the bugs now in Firefox 3.0 before the final version is released next year, the open-source developer's Web site revealed Wednesday. As Mozilla pushes to post Beta 1 of Firefox 3.0 in time, it has asked developers to prioritize already-identified bugs so that the most important can be fixed. That means 80% of the approximately 700 bugs currently marked as "blockers" will not be fixed for Firefox 3. Firefox 3.0 is months behind the schedule Mozilla set about midyear, when it said the browser would reach Beta 1 in late July and move into a second beta in September, both preceding a final release by the end of the year.

Anyone who uses Mozilla Firefox in a Windows environment knows that Firefox can use a lot of memory. Now that Mozilla is getting a lot of requests to make a mobile version, they are working very hard to make a version that won't eat all of the mobile phone's memory. Christopher Blizzard, a member of Mozilla's development board, had this to say about Firefox's alleged memory issues.

As Mozilla starts down the path to running in the mobile space we are spending time looking at memory pressure issues more closely. . . (I)t sounds like the early data suggests that Mozilla really doesn't leak that much memory at all. But it does thrash the allocator pretty hard and that's what causes the perception of memory leaks.

An update to Mozilla's popular Firefox browser has been released, taking the version number to 2.0.0.9. A number of bugs identified in the 2.0.0.8 build of the software have been corrected, as listed below:

• Bug 400406 - Firefox will ignore the "clear" CSS property when used beneath a box that is using the "float" property.
• Bug 400467 - Windows Vista users will get "Java not found" or "Java not working" errors when trying to load Java applets after updating.
• Bug 396695 - Add-ons are disabled after updating.
• Bug 400421 - Removing a single area element from an image map will cause the entire map to disappear.
• Bug 400735 - Some Windows users may experience crashes at startup. There is no workaround available at this time.

You may be notified of the update automatically, but if not you can either download it from here or click on Check for Updates... from the Help menu.

All Firefox users can now download the latest 2.0.0.8 release of the popular web browser from Mozilla.

DOWNLOAD | Release Notes

Mozilla is planning to create a mobile version of the popular web browser Firefox for phone manufacturers sometime in 2008. The mobile version will be able to run extensions and experience tabbed Internet browsing similar to the traditional desktop features users have now. It still remains unknown which mobile devices will feature Firefox in the future, but details will hopefully arise as the software gets closer to launch date.

New version 2.0.0.7 of Firefox was released this afternoon to patch the QuickTime issue described here. This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple.

DOWNLOAD

Less than two years after it crossed the 100 million mark, total downloads of Mozilla's Firefox Web browser have now passed 400 million, although the number does not represent total installations. Since the release of Firefox 2 last October, the browser has continued to take market share from IE. Mozilla is now working on version 3 of Firefox, which is currently in its alpha stages of development. According to the company, Firefox usage in Slovenia is nearing 50 percent market share, which would put it over Internet Explorer for the first time anywhere in the world.

Things are looking good for Mozilla's Firefox, which is the most popular competitor to Microsoft Internet Explorer. The latest version of the in-development Firefox 3 is Alpha 7, codenamed "Gran Paradiso". While it is still far from an official release, Firefox 3 already shows much promise, and boasts a long list of very powerful features. Highlights from the Alpha 7:

• A new bookmarking interface, which adds the ability to tag your favorites.
• Malware detection, with the help of Google
• Detection of micro-formats.
• Private Browsing mode, which allows users to surf the web with anonymity.
• Support for running internet applications in off-line mode.

Feel free to read the entire sneak peak at PC Mechanic.

An exploitable bug in Mozilla Firefox discovered earlier this month was first believed to have been caused by Internet Explorer 7 but soon after that Mozilla was forced to admit that it was Firefox that could trigger the bug as well. Today however that bug has apparently been traced back to a Windows API function. However Mozilla seems to have fixed the bug in their latest Firefox 2.0.0.6 version.

Mozilla has just released the latest version of their popular Firefox browser. Main reason for this update is the fix for the IE7 / Firefox exploit revealed early this month and which Mozilla failed to fix in the previous 2.0.0.5 version of the Firefox browser.

Release Notes

Fixed in Firefox 2.0.0.6
MFSA 2007-27 Unescaped URIs passed to external programs
MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows

Download

Mozilla Admits Firefox Exploit Caused By IE

Almost three weeks ago Mozilla developers issued a statement indicating that the whole Firefox-Internet Explorer exploit was caused by Internet Explorer which could trick Firefox into executing arbitrary JavaScript code. This morning, Mozilla security chief Window Snyder had to issue a retraction stating Firefox could just as easily trick Firefox into doing the same thing.

Mozilla just released the latest version of their oustanding internet browser. More specifically in version 2.0.0.5 Mozilla has corrected the following bugs.

• XPCNativeWrapper pollution
• Unauthorized access to wyciwyg:// documents
• Remote code execution by launching Firefox from Internet Explorer
• File type confusion due to %00 in name
• Privilege escallation using an event handler attached to an element not in the document
• Frame spoofing while window is loading
• XSS using addEventListener and setTimeout
• Crashes with evidence of memory corruption

Download

If both IE and Firefox version 2.0, or later are loaded on a persons computer a zero day security hole may occur.

Mozilla has updated the popular Firefox browser to version 2.0.0.4, with the main changes being security fixes, improved support for Windows Vista and new languages (Afrikaans and Belarusian). The full release notes can be viewed here and if Firefox does not automatically update you can manually download the new version either by clicking on the "Help" menu and choosing "Check for Updates" or by visiting the Mozilla download page. Firefox 2.0.0.4 is available for Windows, Mac OS X and most versions of Linux - check here for a full list of downloads. Don't forget that add-ons and themes may require compatibility updates for this new version of Firefox.

Anyone who uses Windows Vista and Mozilla Firefox may be pleased to hear that the Windows Media Player team has now released a plugin for Firefox that should allow the browser to play WMP content on websites. Here are the steps to get it working:

• Installation of the Windows Media Player Firefox Plugin may require administrative access to your PC. It is recommended that you close all other open browser windows before continuing with the installation.
• Click the Install button to automatically download and install the Windows Media Player Firefox Plugin.
• Depending on your security settings, you may see a Security Warning dialog box. Click Install to install the plugin.

There is a known issue if you are using Firefox version 2.0.0.3 on Windows Vista with the installer failing with error code -203. To work around this simply restart Firefox (you will get a notification that Windows Vista will be changing the Firefox compatibility settings) and then install again - the second time should succeed.

The download is available here, and the new plugin works on all versions of Windows XP and Windows Vista (although it is mostly intended for Vista, as that currently has no WMP support in Firefox).