October 1, 2004. The Mozilla Foundation releases an important security update for Firefox. All users should upgrade to the latest version of the Firefox Preview Release. A patch is available for current Preview Release users.
Getting the Update:
- Firefox Preview Release (Firefox 0.10) users: To update Firefox, open your Tools -> Options window and go to the Advanced page. In the Software Update section, ensure that the Firefox checkbox is checked and click the Check Now button. The resulting wizard will guide you through the installation. If you see the update icon appear in the upper right corner of your screen, you can skip the previously described method and simply click on the icon to install the patch. If you are having difficulties with either of those methods, simply click here to install the patch. You may need to add www.mozilla.org to your list of trusted web servers. You will need to restart Firefox after installing the patch.
- For users of versions prior to Prevew Release, visit the Firefox homepage to download the latest version of Firefox Preview Release (Firefox 0.10.1)
Questions & Answers:
- How can I verify that I have installed the patch and that I am running the most recent version of the Firefox Preview release?
Click on the Help menu and select About Mozilla Firefox. Examine the User Agent information on that page that is displayed, eg
Mozilla/5.0 (OS Information; Lang. Information; rv:1.7.3) Gecko/20040923 Firefox/0.10.1.If you observe that have 0.10.1 installed, you have the patch and are running the most recent version.
- How does this security vulnerability expose the user?
A malicious hacker who could trick a user into saving a file could delete files from a user’s download directory.
- How serious is this vulnerability?
While this is a potentially severe security vulnerability, user interaction is required to trigger potential harm. This security update is also another example of the Mozilla Foundation identifying and fixing security vulnerabilities before they are exploited by malicious hackers. This type of security vulnerability is very different from cases where a hacker could take advantage of a vulnerability to obtain valuable information from a user’s computer.
- Doesn’t this case illustrate that all browsers are equally insecure?
The Mozilla Foundation continues to have a very strong track record on security. According to Secunia, an independent security monitoring organization, Firefox currently has 1 open security issue, out of a total of 13 security advisories filed in 2003 and 2004. 0% of these are labeled “extremely critical”, 15% are labeled “highly critical”. For the same period, Secunia lists 16 open security issues out of 44 advisories for Internet Explorer 6.0, 14% of which are labeled “extremely critical”, 34% are “highly critical”.