LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Development page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Firefox 3.0.12 released

[Posted July 22, 2009 by corbet]

From:  Samuel Sidler <ss-AT-mozilla.com>
To:  announce-AT-lists.mozilla.org
Subject:  Firefox 3.0.12 available for download
Date:  Tue, 21 Jul 2009 16:15:19 -0700
Message-ID:  <95747C6A-6AF2-42CD-BEB9-48E37C82AD87@mozilla.com>
Cc:  dev-planning-AT-lists.mozilla.org
Archive-link:  Article, Thread 

As part of Mozilla's ongoing security and stability update process,  
Firefox 3.0.12 is now available for Windows, Mac, and Linux for free  
download from http://www.mozilla.com/en-US/firefox/all-older.html.

We strongly recommend that all Firefox 3.0.x users upgrade to this  
latest release. If you already have Firefox 3.0.x, you will receive an  
automated update notification within 24 to 48 hours. This update can  
also be applied manually by selecting "Check for Updates..." from the  
Help menu.

For a list of changes and more information, please review the Firefox  
3.0.12 release notes at:

http://www.mozilla.com/firefox/3.0.12/releasenotes/

Note: Firefox 3.0.x will be maintained with security and stability  
updates until January, 2010. All users are encouraged to upgrade to  
Firefox 3.5 by downloading it from http://firefox.com/ or by selecting  
"Check for Updates..." from the Help menu when using Firefox 3.0.12.

(follow ups to mozilla.dev.planning / dev-planning@lists.mozilla.org)
(Log in to post comments)

Firefox 3.0.12 released

Posted Jul 22, 2009 18:08 UTC (Wed) by jwb (guest, #15467) [Link]

One of the critical bugs fixed here was reported nine months ago, which is bad enough, but it's a fork off another bug which is still hidden, bug #459906, which was opened last October. Since the bug is still hidden from the general, I assume that the issue described therein is an exploitable security hole.

Bottom line: your current Firefox has exploitable holes that were reported to mozilla.org almost a year ago. Good times.

Firefox 3.0.12 released

Posted Jul 22, 2009 21:27 UTC (Wed) by joedrew (guest, #828) [Link]

That bug (#459906) is VERIFIED FIXED, and has been so since October 2008. Generally we don't open bugs until after the release they affect has gone out the door, but sometimes we forget.

Firefox 3.0.12 released

Posted Jul 22, 2009 21:42 UTC (Wed) by jwb (guest, #15467) [Link]

I'm sure you'll understand if I respectfully decline to take your word for it. As usual mozilla.org's policy of hiding these reports makes it effectively impossible for the user to evaluate his own risk in using the browser.

Firefox 3.0.12 released

Posted Jul 22, 2009 22:01 UTC (Wed) by joedrew (guest, #828) [Link]

Our general policy is to keep security bugs closed until either they've been fixed or otherwise "outed" (for example, by exploit code elsewhere). It's a tradeoff; we don't like closing people out of information, but we also don't like the security of our users to be jeopardized by something we can prevent.

Precisely that sort of thing happened recently with the Firefox 3.5 JIT bug - we let people know there was a critical bug, let them know how to mitigate that bug in the mean time, and had a fixed release out in less than 2 days. And yes, not closing the bug put our users at risk.

Anyways, I have started the discussion on opening bug 459906 among the security folk at Mozilla (I am only peripherally involved in that group), and it will hopefully be opened before long.

Firefox 3.0.12 released

Posted Jul 23, 2009 9:58 UTC (Thu) by roc (subscriber, #30627) [Link]

It's an unfortunate fact of life that keeping all our bugs public all the time would make it far too easy for the bad guys to abuse our users.

At least we do open all our bugs sooner or later, generally as soon as we can. All other browser developers keep their security bugs in closed bug systems and never reveal them.

Firefox 3.0.12 released

Posted Jul 23, 2009 18:41 UTC (Thu) by jwb (guest, #15467) [Link]

I totally understand the policy, roc, but wouldn't it be nice to have something more than "You are not authorized to access bug #470487" when a user is trying to look up some of these bugs? All I know about that bug is it's a topcrasher, it must be exploitable (because it's hidden), as of two days ago the fix for it is not in the 1.9.1 branch (according to the platform weekly meeting notes), and it was reported seven months ago.

It might be nice if the Bugzilla page could give me at least some useful information. For example it should tell me the severity of the vulnerability and its status in the trunk and each of the release branches. Then I would at least be able to think about the risk rationally.

Firefox 3.0.12 released

Posted Jul 24, 2009 0:21 UTC (Fri) by roc (subscriber, #30627) [Link]

That's an interesting idea. It might be useful to reveal that bug 470487 is Windows-only and so probably isn't relevant to you.

But again, we're miles better than our competition in this department. I don't know of any project that supports partial bug revelation.

Firefox 3.0.12 released

Posted Jul 23, 2009 10:01 UTC (Thu) by roc (subscriber, #30627) [Link]

It's an unfortunate fact of life that keeping all our bugs public all the time would make it far too easy for the bad guys to abuse our users by turning testcases into exploits.

At least we do open all our bugs sooner or later, generally as soon as we can. All other browser developers keep most of their security bugs in closed bug systems and never reveal them.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds