Firefox 8 Patches Six Security Holes


People following Mozilla's fast-paced upgrade schedule are advised not to ignore the latest update, which fixes six security holes, three of them critical, the rest rated high priority.

The upgrade, released Tuesday, also brings new features to the browser, such as adding Twitter to the search query box for people who want to look for topics, usernames and hash tags on the micro-blogging site. Other features include disabling third-party add-ons that are installed without permission from the browser user. Such secretive installs have led to problems, including slow start-up times and page loading and toolbar clutter, Mozilla says. They also are a security risk, because developers are often slow on updates.

As a security upgrade, Firefox 8 is important enough to warrant a mention on the web site of the U.S. Computer Emergency Readiness Team, which is recommending that users apply "necessary updates to help mitigate the risk." All of the fixes patch holes that pose a security risk to users doing no more than normal Web browsing.

A rating of critical means an attacker can exploit the flaw to run code or install software. High means the vulnerability can be used to gather sensitive data from visited sites or inject data or code into those sites. One of the flaws rated high only applies to Mac users. Mozilla blames this one on Apple. "This problem is due to a bug in the driver for Intel integrated GPUs on recent Mac OS X hardware," the company says in an advisory.

Many businesses find Mozilla's upgrade pace too fast, and have yet to move beyond Firefox 3.6. For these users, Mozilla released Firefox 3.6.24. The upgrade patches one vulnerability, rated high.

Mozilla's six-week upgrade cycle, launched in the summer, strained relations with businesses, which prefer a much slower pace for software upgrades. Mozilla argues that a fast schedule is needed to keep up with the changes in browser technology.

To try and meet the concerns of business users, Mozilla re-established the Mozilla Enterprise User Working Group, which consists of a mailing list and a monthly phone conference on the first Thursday of every month.