Firefox 1.5 Beta 1 Released As First Bug Surfaces - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Firefox 1.5 Beta 1 Released As First Bug Surfaces

Mozilla Corp. has released the first official beta of Firefox 1.5, the next major update of the group's open source browser.

Mozilla Corp. has released the first official beta of Firefox 1.5, the next major update of the group's open source browser, with organization officials on Friday touting that the new application's faster and can more easily be updated. That may be tested sooner than Mozilla might have wanted, for also on Friday, a security researcher posted information and proof-of-concept code for a major vulnerability in most versions of Firefox, including the beta.

Beta 1 of Firefox 1.5 is the first major update since the launch of Firefox 1.0 in November 2004, said Mike Schroepfer, Mozilla's director of engineering. "This beta is designed primarily for Web and extension developers," said Schroepfer, "and as a way for us to get additional feedback on testing of compatible sites."

The beta, he added, will be followed by one more in about a month, then one or two release candidates before the final gets shoved out the door "sometime before the end of the year."

The delay in getting 1.5 ready for prime time, said Schroepfer and Chris Beard, products and marketing manager for Mozilla Corp., has been due to the unexpected number of new features added to the browser. "This ended up being a much bigger release than we originally planned," said Beard.

At one point, Firefox 1.5 -- then dubbed Firefox 1.1 -- was scheduled to release in March, but later -- when it was called Deer Park -- the browser was shoved back to mid-summer, then fall, and now winter.

Beard recognized that Mozilla sets itself up for criticism when it slips its schedules. But he wouldn't have it any other way. "We're very transparent in every thing we do" as an open-source developer, he said.

Firefox 1.5 Beta 1 boasts several new features and improvements of existing tools, said Schroepfer, but he considers automatic updating as the "premier addition to 1.5."

Firefox already had an update notifier, but 1.5 will now automatically fetch security and other updates in the background, then install them without user intervention, much like Microsoft's Automatic Update does for Windows (and Internet Explorer). The auto update feature can be disabled, or users can require Firefox to ask permission before installing patches.

"Automatic updating will reduce the size of patches by 10 to 20 times," said Schroepfer. Previously, users had to download the entire browser to obtain fixes -- typically a 4-5MB file -- but in testing, Schroepfer said, Mozilla's been producing patches as small as "several hundred k."

Schroepfer and the other developers at Mozilla may get a chance to put auto update into play sooner than they anticipated. Early Friday, just hours after Mozilla released Beta 1, security research Tim Ferris posted information about a vulnerability in most editions of Firefox, as well as proof-of-concept code.

"A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host," wrote Ferris both on a posting to his own Web site and one to the Full Disclosure security mailing list.

A malicious Web site could insert the HTML proof-of-concept code made public to crash Firefox; attackers could take advantage of the buffer overflow to insert code to, for instance, grab complete control of the machine.

"We’re looking into the problem," said Mozilla's Schroepfer, "and we'll respond with a patch as quickly as possible." Schroepfer also confirmed that the just-released Firefox 1.5 Beta 1 is vulnerable to the bug as well as the production 1.0.6 version.

Danish security vulnerability tracker Secunia tagged the Firefox bug as "Highly critical," its second-from-the-top ranking for flaws, and noted that the same problem affects the Mozilla 1.7x and Netscape 7.x and 8.x browsers.

Friday afternoon, Mozilla posted a small patch that disables support for international domain names, or IDNs (the buffer overflow at issue occurs in the code that normalizes IDNs). The Firefox and Mozilla patch, as well as details on how to manually disable IDN support as a workaround, are on the Mozilla site.

Schroepfer took exception with Ferris' quick disclosure of the vulnerability, while others on the Full Disclosure questioned why he posted proof-of-concept code when he had not done the same for recent vulnerabilities found within Microsoft's Internet Explorer.

"We had less than 72 hours from the time he notified us to when he posted information [about the vulnerability]," said Schroepfer.

The beta of Firefox 1.5 can be downloaded from the Mozilla Web site in versions for Windows, Mac OS X, and Linux.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Can Low Code Measure Up to Tomorrow's Programming Demands?
Joao-Pierre S. Ruth, Senior Writer,  11/16/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll