Firefox 4 gets its first security update

Filed Under: Apple, Firefox, Vulnerability

Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser's first-ever security update. The Firefox version number bumps up to 4.0.1.

The update fixes 50-odd bugs in total, amusingly including three fixes listed as specific to OS/2. Ironically, the latest official release of the OS/2 port of Firefox, dubbed Warpzilla, hasn't yet reached version 4 - it's still back at version 3.6.8.

The release notes for Firefox 4.0.1 are hard to find from the main page. (Browsing to doesn't help, as this just redirects to the Mozilla page.) But if you know where to look, you'll find that two critical security advisories are fixed in the 4.0.1 release.

MFSA2011-12 deals with memory corruption bugs in the browser engine itself; Mozilla experts officially opined that "with enough effort at least some of these could be exploited to run arbitrary code". MFSA2011-17 deals with "two crashes that could potentially be exploited to run malicious code" in a graphics library called WebGLES, used by Firefox.

Because the 4.0.1 update addresses vulnerabilities that are considered remotely exploitable, we advise you to apply this update without delay.

The previous version, Firefox 3.6, also gets an update, moving to 3.6.17. This update also squashes some critical bugs, including the MFSA2011-12 memory corruption vulnerability affecting Firefox 4.

Two other critical vulnerabilities which don't affect version 4 are fixed.

MFSA2011-13 deals with various "dangling pointer" bugs (a dangling pointer is a programming mistake in which a memory reference remains in use after the memory it points to has been returned to the operating system for re-use). MFSA2011-15 deals with a privilege escalation bug in the Java Embedding Plugin.

The MFSA2011-15 vulnerability is specific to the Mac OS X version of Firefox. Apple users who imagine themselves invulnerable simply by virtue of their choice of operating system, please take note!

There's an update to Mozilla's Thunderbird email client as well. Thunderbird moves to version 3.1.10.

Somewhat confusingly, the Thunderbird release notes don't list any critical vulnerabilities fixed in this version, but the MFSA2011-12 advisory specifically states that the bugs it covers are "fixed in Thunderbird 3.0.10".

If you're a Thunderbird user, we advise you, too, to update as soon as you can.

, , , , ,

You might like

8 Responses to Firefox 4 gets its first security update

  1. DRND · 1589 days ago

    I don't get this stuff. I have 4.0, the website says I'm updated. I don't see where I can update to 4.0.1.....will it do it automatically? I clicked on release notes (in your article) but that isn't helping me know what to do. Please help?

    • Paul Ducklin · 1588 days ago

      In the "About Firefox" dialog box you'll see the version number. You should also see a button labelled "Check for updates". Press it to get up to date if you aren't already.

      Automatic updates for both Firefox and any plug-ins you use are configured in the Preferences dialog. Open Preferences and click "Advanced" followed by "Update".

      • DRND · 1588 days ago

        Yes, it updated automatically......thanks so much for helping, Paul. I really appreciate Sophos and all the info on your Facebook page! :-)

  2. Deborah · 1588 days ago

    I have never gotten an update. I tried to check update history and it told me the update server was not found and to check my internet connection. Should I download the 4.0 version? I run a mac (not windows)

    • Paul Ducklin · 1588 days ago

      Did you try what I suggested to DRND in the comment above? On your Mac, click on the "Firefox" item next to the Apple icon in the Menu Bar, open "About Firefox" from the option list which drops down, and press the "Check for updates" button.

      • Deborah · 1588 days ago

        The problem is, there is NO "check for updates" when I do that. 3.5.6 is what that little window says I have. I seldom use firefox, but safari doesn"t play nice with some of the apps I use.

        • Paul Ducklin · 1587 days ago

          The 3.5 version is the pre-previous one. Mozilla still supports it, but only just.

          In 3.5 and 3.6, the "Check for updates" option is under the "Help" menu item, not in the "About" box as it is for version 4.

          You probably want to consider updating to version 4, or at least to 3.6. The 3.5 version is "old" by Mozilla's standards, which means it is unlikely to still to be getting the security attention it deserves.

          Iif you use a particular browser very rarely, you probably want to turn on automatic updates. (See above. IIRC the configuration of updates is similarly-located in 3.5, 3.6 and 4.) When you fire it up, there might have been many security updates since you last used it - updates to patch holes which are now well-known to the cybercrooks. You therefore want to ensure you update ASAP with every use, lest you forget (something you have indeed done - 3.5 is already up to 3.5.19, so you're already 13 updates behind :-).

  3. xsaf · 1582 days ago

    I like firefox for its various addons but it's also very boring that it takes too much resource.Finally i turn to orca browser which is based on's fast and support the addons from firefox.However it also has a shortcoming:the gecko engine still be 3.6

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog