Firefox 3.6.2 Released

Lucas Adamski

46

Mozilla has accelerated its timetable and released Firefox 3.6.2 ahead of schedule. This release contains a number of security fixes, including a fix to Secunia Advisory SA38608 which was previously discussed on this blog when we were first made aware of and were then able to confirm the issue.

For additional information please see Mozilla Foundation’s Security Advisory MFSA-10-08 as well as the Firefox 3.6.2 Release Notes. We urge users to promptly update to this release by selecting “Check for Updates…” from the “Help” menu, or by visiting https://www.mozilla.com/ for a free download.

46 responses

  1. Mike Beltzner wrote on :

    I can’t thank our build, QA, web development and release management team enough for the hard work done in the past few days to accelerate the Firefox 3.6.2 release. Great story for our users.

  2. Yuhong Bao wrote on ::

    Was it inspired by Germany recommending a switch away from Firefox earlier on the same day or was that a coincidence?

  3. Concerned User wrote on :

    That was very quick:). Thanks Mozilla for taking the time to reschedule your regular release dates and realize the important of zero day vulnerabilities. Kudos!

  4. pheldespat wrote on :

    Good job!

    Thank yo very much, Mozilla.

  5. emv x man wrote on ::

    Wow, that’s impressive – respect and thanks to all at Mozilla.
    @Yuhong can you name one outfit that regularly out-paces Mozilla in terms of reacting/solving issues?
    IMO it’s normally better to be grateful than snippy – especially to a bunch of people who give us a consistently great platform.

  6. another_sam wrote on :

    https://bugzilla.mozilla.org/show_bug.cgi?id=552216

    Correct me if I am wrong, but in
    https://bugzilla.mozilla.org/show_bug.cgi?id=552216
    what I see is the fix done on 14th but the patch released on 22nd.

    What happened during these 8 days?

  7. Just a user wrote on :

    Thanks Firefox team…I’m just a bit disappointed that it took the German announcement to prompt this – I always thought FF was more proactive, but you’ve done the right thing now.

  8. Dan wrote on :

    What happened to 3.6.1??

  9. emarell wrote on :

    I’m also impressed with the quick attention to this kind of thing that always occurs with the Firefox people. Thanks go to the team members.

    That said, with this particular incident I have some problems. If I update to 3.6.2 or to 3.6, a dozen-plus of my add-ons become incompatible. Not OK for me; they are why I love Firefox instead of the G-brand or any other contender. I do understand it always takes a while for the independent developers to catch up. So I pretty much always wait a while before putting in a new version.

    In this case, though, it seems to amateur old me that patching the vulnerability is quite urgent; yet I have seen mention here and there that prior versions such as 3.5.8 are not vulnerable. Version 3.5.8 does not run well on my system… at all! It fails to load many, many sites at moments when two alternate browsers have no trouble whatsoever (so it can’t be an ISP snag).

    Regarding this Secunia Advisory SA38608 episode, I have seen no instruction or guidance about:

    [1] Does typical anti-virus (avast! v5.0.462), anti-malware (IO Security 360 v1.41), and/or firewall (ZoneAlarm v9.1.007.002) freeware stop this particular danger? I use those.

    [2] What about an even earlier Firefox version – namely 3.5.7 – which truly runs like a top on my machine? Is that as vulnerable as 3.6? Or some other, pre-3.5.7, version?

    I’ll keep an eye on this Comments section for whatever help someone can post here – and thank you.

  10. seedy wrote on :

    Anyone noticed that FF now tries to connect via random ports? My Zone Alarm is requesting permission for FF on random ports every time I run FF. Is this normal? It wasn’t happening with previous versions.
    Thanks

  11. another_sam wrote on :

    @Dan
    https://wiki.mozilla.org/Platform/2010-01-26#Notices_.2F_Schedule
    read “Firefox 3.6.2″

  12. David Baron wrote on ::

    @emarell, The WOFF vulnerability does not affect Firefox 3.5.*; WOFF support is new in Firefox 3.6.

  13. whatever wrote on :

    Great! Thanks a lot for speeding up the release.
    Hopefully this will also save FF during CanSecWest Pwn2Own 2010 :)

  14. Tytan wrote on :

    I have installed Firefox 3.6.2 and now no add-ons work at all! So I uninstalled it and went to 3.5.8 when I knew they were working and now they don’t work in that either! I highly regret installing Firefox 3.6.2. Can anyone help me?

  15. emarell wrote on :

    @David Baron

    Thanks for the clarity.

    Now I am beginning to understand what WOFF support is about (browser’s ability to show a wider variety of fonts designed into a web page, yes?).

    Maybe you’d be so kind as to explain what a user would see when loading one of these pages if his/her browser doesn’t support WOFF?

    (My amateur guess: the browser substitutes a predetermined default font, and loading is slower???)

  16. Daniel Veditz wrote on :

    @Tytan: if you open the add-on dialog are the add-ons missing? Hard to imagine why they’d be present but not working if you switched back. If they’re missing perhaps a new “profile” was created somehow during the upgrade. http://support.mozilla.com/ can help you with this (try the forums or live chat).

  17. Damon wrote on :

    Same here. All add-ons down. If I try to open the add-on page, it locks the computer up.

    xp sp2

  18. emarell wrote on :

    @Tytan
    During all that maneuvering that I did earlier (see entry #9 above) I had that same experience – version 3.6.2 certainly made a real mess. Not just disabled and missing add-ons. It *inserted* one add-on I had tried out long ago and uninstalled; this one would not let go! Couldn’t close its sidebar or get rid of the add-on itself.

    Until you posted here I’ve seen no mention of the scrambled eggs that upgrading to 3.6.2 made out of Firefox 3.5.* – bet it’ll be popping up webwide!

    That is why I am asking so many questions. Basically it seems to me, so far, that this newfangled WOFF font transmission thing is a mere frill, not another giant leap for mankind. It might not be worth all the “critical danger” and related or other shenanigans just to get more fonts in our face. I thought we had plenty-o-fonts before WOFF. It’s just the question of what happens if one sticks with a non-WOFF browser version. Anybody know?

    Unfortunately all I can tell you is that to fix it I had to restore the entire C-drive.

    I have Vista; once upon a time it did backups – a feature which became unusable. So now I use Macrium Reflect to put backups onto an external hard drive twice a week. Using that, I restored a few-day-old full C-drive backup done when 3.5.7 (my favorite Firefox) was still on board and intact.

    ***But***
    Before doing so, I made an ordinary
    copy (on a stick drive) of: the
    current contents of Documents
    [the folder] and Pictures and
    whatever else I knew I’d altered
    in the few intervening days since
    making that Macrium backup file.
    The stuff I placed on the stick
    drive… all unrelated to Firefox.
    *********

    Following the full C-drive restore (from the Macrium backup), I wrote my stick drive copies over what the restore gave me for those few folders.

  19. Concerned User wrote on :

    @ Mozilla team: Just saw this:

    http://www.theregister.co.uk/2010/03/25/pwn2own_2010_day_one/

    So will the “hacker” guys tell your team how they “did” it? and if so, would Mozilla release more updates? Please clarify.

    The update (3.6.2) was very smooth and my addons are working just fine!

  20. Nevi wrote on :

    Mozilla is the best!Thank you friends.

  21. Geoff wrote on :

    I upgraded to 3.6.2 on my Mac with OS 10.4, i can no longer get into any secure https sites that includes google mail, all my banking etc…
    this is progress ??? I will add that these same sites will load in safari 4.0.5.

  22. Tytan wrote on :

    @Daniel Veditz, @emarell & Everyone Else

    According to Firefox 3.6.2, they are installed and enabled, but yet none actually show up. I tried with a toolbar on it and right-clicked to see if they were checked, but they didn’t show up on the list. The only place they show up is on the Add-ons list. So, I went into the Program Files (x86) and looked for Mozilla Firefox, but yet when I went into it, the only things there were empty folders:
    •chrome
    •components
    •extensions
    •plugins
    •uninstall
    Yes, it sounds crazy and trust me, I had to refresh it because I didn’t believe it. No other files were there, just those empty folders. And the weirdest of all, Firefox was still able to run! So, until Mozilla comes out with another update, I’m not installing 3.6.2, as I end up uninstalling it and re-installing 3.6.

  23. emarell wrote on :

    @Tytan

    Once again, many thanks for your sanity-supportive comments. One sees continued insistence that 3.6.2 is just fine & dandy, but to me that’s a river in Egypt: “deNile.”

    For your own protection I wouldn’t use 3.6 either, even though it may appear to operate well. It’s the first version that supports WOFF, and that’s where the security emergency lies. Go for 3.5.8 or 3.5.7 instead (installers still available at filehippo.com). These are not vulnerable to the WOFF danger.

  24. Daniel Veditz wrote on :

    @Tytan: please don’t go back to 3.6 with known/published security holes! If 3.6.2 isn’t working for you then please go back to the latest supported 3.5 version (3.5.8). And I urge you to work with the folks at http://support.mozilla.com/ to figure out what’s going on: 1) they see all kinds of weird stuff and may know the fix, and 2) if it’s a problem they haven’t seen they’ll try to get enough information so we can figure it out and fix it.

    I don’t understand how Firefox can be running if its install directory is empty. Are the files hidden from your account (try from an admin account)? Did the running Firefox get installed somewhere else (right-click on the short-cut and check its file path)?

    Oh, getting 3.5.8… two ways.
    1) Through the web site: under the download button there’s an “Other systems and languages” link. In the right-hand column you’ll find a 3.5.8 link under an “Other Versions” heading.

    2) from our raw download site: Go to http://releases.mozilla.org/pub/mozilla.org/firefox/releases/ and download whichever one you’re looking for.

  25. berke wrote on :

    I use Firefox 3.6.2 Turkish
    I have a problem with “C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content”
    in the “content” folder there is “timer.xul”
    Microsoft Security Essentials report a problem with this, it said that “timer.xul” is a trojan.
    I delete “timer.xul” many times but when I open the folder there is a new “timer.xul”
    how can I resolve this problem?

    Microsoft Security Essentials’s report (in Turkish)

    Kategori: Truva Atı

    Açıklama: Bu program tehlikelidir ve saldırgandan gelen komutları yürütür.

    Öneri: Bu yazılımı hemen kaldır.

    Microsoft Security Essentials, gizliliğinizi tehlikeye atabilecek veya bilgisayarınıza zarar verebilecek programlar algıladı. Bu programların kullandığı dosyalara, dosyaları kaldırmadan kullanmaya devam edebilirsiniz (önerilmez). Bu dosyalara erişmek için, ‘İzin Ver’ eylemini seçin ve ‘Eylemleri uygula’yı tıklatın. Bu seçenek kullanılamıyorsa, yönetici olarak oturum açın veya yerel yöneticinizden yardım isteyin.

    Öğeler:
    containerfile:C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
    file:C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul->(SCRIPT0000)

    how can I resolve this problem?

    1. Daniel Veditz wrote on :

      @berke

      Your computer appears to have been infected with W32/Routrobot.Worm (also called Prolaco by other A-V). According to McAfee it spreads through email attachments, autoplay on removable drives like USB sticks, and P2P networks by masquerading as popular search targets. http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=256356

      If your Anti-virus can’t clean up the full infection (including the parts that keep regenerating it) you need to try another program.

  26. Tytan wrote on :

    Ok guys. Here’s where I stand at now.
    •I tried 3.5.7 – Didn’t work
    •I tried 3.5.8 – Didn’t work
    •I tried 3.6 – Worked
    •I tried 3.6.2 – Didn’t work
    It seems that only Firefox 3.6 will work, which isn’t the best thing. I tried talking to someone on the Live Chat last night, but they ended up ditching me because it was closing time…of course. I now only have 2 options:
    •Keep Firefox 3.6
    •Switch to another browser

    @Daniel Veditz
    •The files are not hidden
    •Only have 1 account which is an admin
    •C:\Program Files (x86)\Mozilla Firefox

    I think that I might just use another browser until 3.6.3 or whatever it will be called comes out.

  27. emarell wrote on :

    At this writing I have seen no response to the question of why we really needed WOFF support, and what happens if Joe Average Web Surfer never does ‘up’grade to any browser that offers it. That is, what occurs when one accesses some web page that would transmit/display its own idiosyncratic font via the WOFF protocol [???], except the browser in use doesn’t support that?

  28. Tytan wrote on :

    Update

    Ok guys. I tried the forum and I got what I needed! I had to delete the following from the “%APPDATA%\Mozilla\”:
    •extensions.rdf
    •extensions.cache
    •compatibility.ini
    It works fine and all of my add-ons are running! Thanks for the help guys.

  29. Daniel Veditz wrote on :

    @emarell

    If your browser doesn’t support WOFF then generally you’ll get a fallback to a default installed font. It’s possible that if the page designer really wants things to look just so they might serve alternate content to browsers that don’t support WOFF, such as using images for their headlines to get just the font they want (I’m sure you’ve seen that on sites).

  30. Annon wrote on :

    3.6.2 FF is having problem about Site Loading but the page is BLANK.

    hmm…

  31. Oscar wrote on :

    When you are trying to open a new tab or window is not working. Just a page in blank………………………….

    Any solution

  32. Scoutinglady wrote on :

    Upgraded to 3.6.2 today and now when I right click on a jpg emailed to me to save it nothing happens…I needed to do this for some school work and now I’ll have to go to IE which I hate to do but at least it works. There are issues with JAVA as well and I need that for access to online classes. This just sucks…

  33. Blake wrote on ::

    Firefox 3.6.2 running on WinXP is showing a blank white page when trying to view http://www.simonscompetition.com/.

    The page shows up fine using MSIE.

    Please help.

  34. rogerrabbit wrote on :

    I have had a similar problem, except all my browsers have been affected by it since installing FF 3.6.2 I can’t understand why.

    I thought it might be my ISP, but they checked it out and the problems is not coming from them. So I started fooling around with IE8 and decided to make it my default browser again today, all of a sudden everything is working again on Firefox, pages are loading like before. No blank pages. So for now making your default browser Internet Explorer again may solve your problem. I have tested this on three different computers so far and I got the same result, not sure if it will solve everyone else’s page load problems.

  35. Concerned User wrote on :

    Hi there! Upgraded to 3.6.3, very smooth, all my addons are working fine. Great job Mozilla team! I think you’re among the first to patch the pwn2win flaws. Kudos!

  36. vexy wrote on ::

    I didn’t played around with FF 3.6 since well..3.6, for some reason, it ate alot of resources. Gave a try to 3.6.3 and it seems way way more quicker than always? What’s up with that? Not that it’s a bad thing…actually I”m quite hapyp about it. GJ Mozilla!

  37. aka wrote on ::

    I’m currently running 3.6.3 which is basically 3.6.2 + bug 555109 fixed. No problems so far including the update process, add-ons functionality or stability. 3.6.2 ran smoothly as well (upgraded then from 3.5.5).

    @Blake your website looks weird in Chrome as well, compared with IE. I think you should fix your code a bit.

  38. James wrote on :

    I tried to update from 3.6.2 to 3.6.3 and a dialog box comes up and cannot find licensing verification file. Do I have to do a full install or is this another problem?

    1. Daniel Veditz wrote on :

      Firefox does not have a license file, that message is from some other software (possibly one that has hooked into Firefox in an incompatible way).

  39. Kyra wrote on ::

    Well, I had also a problem upgrading from 3.6.2 to 3.6.3, but did a cleann full install, everything is ok :) The thing is, the 3.6.3 is almost flawless minus the Hotmail/Live problems, also reported here http://support.mozilla.com/en-US/forum/1/640872

  40. Flash wrote on ::

    Firefox remains still the no 1 browser. I don’t understand why people complain so much about it, I have it installed on all my computers (Win + Mac) and it’s working perfectly. I must admit tho, without those hundreds of plugins, Firefox could have some competition. Kudos Mozilla!

  41. nimd4 wrote on :

    No, it’s the NoScript Add-on problem. Current version 1.9.9.61. Disable it and Hotmail will work (Clear Recent History… Ctrl+Shift+Del if needed).

  42. Software Geek wrote on ::

    Hello,

    When right clicking on a picture or a link there is no more “Properties” option available. Do I have to install an add-on for this? Or how are we supposed to see the properties?

    Thank you!

  43. Ronda Wanda wrote on :

    I’m not that impressed by 3.6.2. Ever since downloading it this week I’ve been attached by all sorts of trojans. Never had that problem before. I’m going back to an older version.

  44. IT Maniac wrote on :

    I’m using Firefox 3.6.3, and when it’s connected to the internet, it tries to open another port to the internet like it’s not connected. Zone alarm doesn’t detect this since Firefox already has permission to access the internet, just weird Firefox is asking me permission to connect. Seems like Firefox is running some mysterious process in the background, even with automatic updates, add-ons and search engine updates disabled.

    I used 3 different virus programs and my system comes up clean.

    Mozilla, what gives? Trying to give Germany, me another reason to remove your browser?