Firefox releases Version 5; five remote code vulnerabilities fixed

Filed Under: Data loss, Firefox, Privacy, Vulnerability

Mozilla delivered on its promise to have the Version 5 release of its browser ready by midwinter's day, which takes place today in Australia - 22 June 2011.

The new version officially calls itself 5.0, but the Version 4 release is just three months old, and has had only one point update (to Version 4.0.1).

It looks as though Mozilla is simply copying Google's Chrome version numbering system in order to seem more "with it."

Chrome now increments the leftmost number in its version string with every release, which gives the impression that it is making faster progress than products which change their major version number less frequently. That's good marketing, of course, but poor science by the observer. (Your car doesn't really increase in speed by 60% when you switch the speedo from MPH to KPH.)

With Chrome already up to Version 12 (and 13 in beta), Mozilla clearly feels that lagging back at V4 for more than a few months would look tardy. V3 is now the previous version - the official page of "all older versions" lists V3.6.18, and that's that.

As I've mentioned before, it's no longer a simple matter, after updating Firefox to the latest version, to find out what's changed. Even the trusty Releases page now only gets you as far as V4.0.

And before you update, there's no easy way to find out what you're letting yourself in for, either - except for the breathless claims that V5 has a new look, super speed, and even more awesomeness.

In case you've just updated and you're wondering what's changed, V5's killer feature appears to be support for the Do Not Track feature on multiple platforms; it also "includes more than 1,000 improvements and performance enhancements that make it easier to discover and use all of the innovative features in Firefox".

So if you're looking for a conservative, low-risk, security-related update, this is not it. Since there is no V4.0.2, either, your only choice for a conservative change is to revert to V3.6.18.

If you're committed to the new-style Firefox, and you want the latest security patches to V4.0.1, your only choice is to go to V5, which fixes five remote code execution vulnerabilities and three less serious faults.

The V5 critical fixes are:

* MFSA 2011-26 Multiple WebGL crashes
* MFSA 2011-22 Integer overflow and arbitrary code execution in Array.reduceRight()
* MFSA 2011-21 Memory corruption due to multipart/x-mixed-replace images
* MFSA 2011-20 Use-after-free vulnerability when viewing XUL document with script disabled
* MFSA 2011-19 Miscellaneous memory safety hazards (rv:3.0/1.9.2.18)

There is no security fix for V3.6, which stays at 3.6.18. I can't help smiling at that, and wondering how many of the security fixes above were necessitated by code added since 4.0.1 to bring us those more-than-1000 enhancements and all that additional awesomeness.

My wish from Mozilla? For Firefox 6 (or 5.0.1, if there is one), please add one tiny extra step to the Check for updates button.

Let me preview a brief but informative list of security fixes I'm going to get (plus their significance), and a short list of anything which will look sufficiently different after Firefox restarts that I might scratch my head and think, "I wonder if that was supposed to happen?"

-
P.S.Yes, I've updated. I wanted the security fixes and I've found the FF4 code base usefully quicker. Nothing unexpected has happened to my settings, and it's so far, so good. I've got 3.6.18 installed in parallel, just in case. But I had that before, anyway.

, , , , , , , , , ,

You might like

8 Responses to Firefox releases Version 5; five remote code vulnerabilities fixed

  1. darrell mellinger · 1217 days ago

    It is a great thing to use ............But like chrome no tool bar i downloaded it then found out my yahoo.tool bar would not work at this time with the new FireFox 5.0. If anyone knows of a good toolbar that will work please let me know (no google bar)

  2. mightyuhu · 1217 days ago

    not to talk about addon compability...

  3. Simon · 1217 days ago

    are you trying to use it for simply search because that's still there? If you can't find it you know you can just make the address bar the google search. Just google it! :)

  4. Arbigi · 1217 days ago

    Changing their version with every update might make them look cooler, but it plays merry hell with any attempts to get the government to allow it on work computers. At least one of the approved products lists is flexible enough to handle incremental updates on the RIGHT side of the decimal, but anything on the LEFT side is going to have to go through a review process, and then will come out on the next year's list. By then FireFox will be two or three versions down the road...

  5. Mark · 1216 days ago

    Mozilla has made it pretty clear that they are changing their release numbering not to "keep up with Chrome" or to "look cooler" but to keep Firefox version numbers in line with Gecko and internally push a faster release cycle, but at the same time, I think it makes sense to avoid giving users the false impression that Internet Explorer and Chrome are more advanced browsers. Besides, whatever Mozilla do, they are not likely to catch up with Chrome's version numbering anyway who have now got quite a head start, so that blows that argument out of the water.

    • Paul Ducklin · 1216 days ago

      I don't think I implied that Firefox might "catch up" to Chrome. But we seem to agree that there's a marketing aspect to the new rate of change in the Firefox version numbers.

      Of course, there's no reason to prevent FF catching up. Back in the 1990s, Patrick Volkerding, keeper of Slackware, the longest-running Linux distro, got tired of explaining why his distro "was behind" others simply on the basis that they were all at about V7 whilst he had only just released 4.0. He famously skipped not only 4.1 but also V5 and V6. Voilà! Slackware 7, snd version parity.

  6. Gerald in Tucson · 1205 days ago

    Is it safe for a novice to try to keep up
    With the betas..?..."..?

  7. burntmoon · 1137 days ago

    I had no problem with upgrade to FF5 but ever since the upgrade to FF6 was installed I can no longer see photos on my blogs at blogspot.com both all old postings and any new postings that I have to do with Explorer. And also I can not see any photos on other blogs at blogspot.com but I do not want to have to use Explorer that is why most Firefox users started using Firefox; to avoid Explorer. And the other reason is that on Explorer when I am opening up new photos into the blog's uploader I can only do one photo at a time while with Firefox I was able to highlight 15 or 30 photos and the uploader did all the rest of the work, not me. I have gone back to older versions of FF and this problem does not go away. There have been suggestions to me that it might be a firewall issue only affecting Firefox. I had my up to date Norton product completely uninstalled and the problem remained. I also removed all add ons or plug ins and problem remained. And I am not alone with this problem because on another complaint on the FF support forum there are now 12 other people who are having the exact same issue. ( There are probably many more who either do not know where or how to complain about issue or can not be bothered thinking that the problem will go away by itself.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog