Firefox update plugs three critical flaws
Version 3.5.6 will patch your quilt
Mozilla has pushed out a cross-platform update for Firefox that fixes multiple security flaws.
Firefox 3.5.6 lances three critical vulns in the open source browser software. They include memory problems involving the liboggplay media library, an integer overflow crash bug in the libtheora video library, and a separate memory corruption flaw. All three of the critical vulns create a possible mechanism for hackers to inject hostile code onto vulnerable systems, via drive-by download attacks or similar malign trickery.
The update, published on Tuesday, also tackles a variety of lesser vulnerabilities that (at worst) create a means to crash vulnerable systems. Firefox 3.5.6 also tackles stability bugs and tweaks features, as explained in Mozilla's release notes here.
Firefox 3.0.16 tackles similar flaws for users still using the 3.0.X version of the browser. 3.0.16 is needed to tackle one critical flaw in previous versions of the software, which compares to the three critical nasties lanced with 3.5.6.
As usual, Firefox bugs mean users of the corresponding version of Mozilla SeaMonkey application suite, version 2.0.1, also need to apply patches.
More ruminations on the possible consequence of leaving the flaws unfixed can be found a security advisory by Secunia here. ®
Re: three MORE critical flaws
Well, keep in mind that these are flaws discovered before they have been exploited. With a closed sauce application you wouldn't know if there were any, would you?
Calling these flaws "critical" is IMHO misdirecting the general ignorant public, e.g. Andrew Norton. They are "critical" in the sense that they _could_ be used to subvert your system. Often closed sauce applications release fixes to "critical" flaws _after_ they have been exploited. And probably (but we can never know) they release fixes to "critical" flaws without even telling anyone.
To compare the security-ness of current browsers please look at how large a timeslice of their lifetime they are susceptible to actual exploited flaws. FF would still beat many (but not all) browsers hands down. Lynx FTW. :-)
Hype and Antihype
These comments make me laugh, Whenever a flaw is found in Firefox/Linux people jump all over it like flies on shit going 'Firefox/Linux is insecure crap! In your face fanbois!'
Yes, in your face fanbois, but these are found and fixed before they are exploited, whereas it takes a few botnets to appear before Microsoft will get off their arses to do anything about a flaw in their browser. (I exaggerate, for literary effect.)
When a flaw is found in these programs, because they have the marketing of being safe, when it's found they aren't perfect, people go mad. When will people realise that nothing is perfect? I mean, when did you last believe what the latest Microsoft Ad tells you?
Firefox is still > IE.
Case closed. (although likely to reopen if I can be arsed to argue the point.)
ogg & theora
The guy that thought the browser should be the OS should be killed. Hence the grenade.