Firefox 6 is out - several critical security fixes and one cool new featurette!

Filed Under: Firefox, Vulnerability

Firefox 6 is out. This is the second release under Firefox's new 'single-line railway track with regular stations' development and release regimen.

Like last time, when Version 5 came out on the mid-year solstice, the official release appeared spot on target: 17 August on the Eastern side of the world, and 16 August in Mozilla's timezone.

Code-wise, a fair bit seems to have changed - on OS X, for example, Firefox's own self-orchestrated update is 9.8MByte, compared to a 28MBbyte download for the complete installer. Nevertheless, according to the What's New section in the release notes, there don't seem to be any major new features.

There is one change I really like, even though it's minor and you might not notice it until it's pointed out. (On second thoughts, perhaps I meant precisely because, rather than even though. Subtle changes are often the best and most useful.)

The domain name of the current URI is highlighted in the address bar (or, more accurately, the non-domain-name part of the URI is slightly dimmed) so that it stands out.

Domain names are intelligently identified. Some countries use a TLD (top-level domain) registration system, where domain names end with a country code (e.g. sophos.de in Germany). Others use a 2LD (second-level domain) system, where domain names include a domain-specific identifier to the left of the country code (e.g. sophos.com.au). And a few use a mixture of TLDs and 2LDs (e.g. sophos.jp and sophos.co.jp).

In some TLD jurisdictions, especially for little-known country codes, scammers have registered 2LD-like domain names to give them an aura of respectability.

The best-known example is probably co.cc, which is a true domain name under Australia's ill-regulated Cocos (Keeling) Islands country code [*], unlike the well-regulated .com.au 2LD system used in mainland Australia. (Why the Australian federal regulators are so strict on .com.au yet so soft on .cc is an issue for another time.)

So this new Firefox featurette will help to remind you of domain name and hostname trickery. In particular, it will remind you that example.co.cc is not a domain name, but just a sub-domain of co.cc, and that visa.com.dodgy.example does not belong to visa.com.

As usual, there are several security-related bug fixes which are reason enough on their own to upgrade to Firefox 6.


Note that Mozilla has made a colour-coding mistake on its Known Vulnerabilities page, tagging this update with link text set against a white background, implying it is a low-impact update.

Click through to Mozilla Foundation Security Advisory 2011-29, however, and you will quickly see that it lists seven security issues, of which five are of critical impact (red text background), and two high (orange).

One of the critical issues itself relates to a whole raft of memory corruption bugs about which Mozilla says, "We presume that with enough effort at least some of these could be exploited to run arbitrary code."


-
[*] Country codes don't actually denote countries. They are issued both to sovereign independent states and to their overseas dependent territories. Australia therefore ends up with five 'country' codes: AU, CC, CX, HM and NF.

, , , , , , , , , ,

You might like

15 Responses to Firefox 6 is out - several critical security fixes and one cool new featurette!

  1. george anderson jr. · 1164 days ago

    lol that last thing you mentioned,Internet Explorer has had that for over 2 years now,firefox stole it from them.

    • Paul Ducklin · 1164 days ago

      "Imitation is the sincerest of flattery"

      (Charles Caleb Colton, c. 1820.)

      • Rochester's finest · 1164 days ago

        ...and Microsoft flattered Mozilla by 'stealing' tabbed browsing. It's just a world filled with love for one another! LOL

  2. Melanie · 1164 days ago

    Thank you Paul for the update. I use Firefox/Mozilla and dont know if it is 5 or 6 but have had my visa hacked only just recently. Bank is correcting issue right now but what do you suggest? Do I upgrade my Mozilla or stick with the one I have? Thank you.

    • Paul Ducklin · 1164 days ago

      If you're not sure which version you have, then you don't really have a good reason for sticking with a specific older version...I'd get the latest.

      As for the fraud against your card - was that to do with your browsing?

      Card details can be stolen in many ways, such as:

      * Skimmed when you use your card in a shop, restaurant, club, etc. (Most people don't even watch their card being swiped. They just hand it over and sign the chit 5 minutes later. Could have been copied any number of times in the interim :-)

      * Harvested by malware on your PC. This means the hack is not the fault of the browser or of where you browsed to.

      * Stolen by tricking you into doing a transaction on a fake site. (Phishing.)

      * Acquired as a result of a data breach by someone you thought you could trust with your card.

      The more up-to-date your browser, the better you are probably protected against #3. You also slightly reduce the chance of getting tricked into being infected, which helps a bit against #2.

      #1 and #4 can't be fixed by your PC, OS or browser :-)

  3. hm...makes locationbar obsolete!

    The only other critical thing I'd expect to see them integrate into the browser is Tab Mix Plus' capabilities (so cool)

    Thanks for the heads-up! Well-written with many screenshots!

    grade A work! ha ha

    • Paul Ducklin · 1164 days ago

      Thanks. My favourite image, however, is the Happy Rhino :-)

  4. The domain highlighting feature has been standard in the Opera browser for some time now.

    Nice to see firefox still playing catch up.

  5. Peter Yates · 1164 days ago

    It seems that this new version has bug fixes for versions 4 and 5. For anybody still using version 3, your new update is version 3.6.20. which was issued on August 16.

  6. Julia · 1164 days ago

    Good! I've been having problems with FF 5 gobbling up the memory on my computer (something to do with the added anti-Flash crash thingy, I think)

  7. Actually, I'm pretty sure that I've seen this feature before. But I can't say if it was on FF or rather another browser (Safari comes to mind).

  8. randolph32 · 1164 days ago

    Thanks Peter....I just can't get the hang of 4, 5 or 6.....3.x is still the best in my world!

  9. Adam · 1163 days ago

    I would recommend installing a nifty piece of software called Trusteer Rapport as it is a very useful tool for on-line security. Most banks give you this piece of software, anyhow, it's free and works wonders! :)

  10. Tyw7 · 1163 days ago

    Didn't Internet Explorer have domain highlighting way before Firefox? Take that Internet Explorer haters!

    Now for more serious topic. Is Internet Explorer domain highlighting as efficient as Firefox?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog