Firefox 3.0.9 targets 12 security vulnerabilities

Web browser's third update this year fixes 12 vulnerabilities--four rated critical--and comes as its open-source developers ready the fourth beta.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Updated at 11:32 a.m. PST with a summary of the bug fixes.

Mozilla released an update to Firefox 3 on Tuesday that patches 12 security vulnerabilities, four of which it rated as critical.

Firefox 3.0.9, the Web browser's third update this year, fixes two critical vulnerabilities in the Firefox browser engine and two in its JavaScript engine, according to a security advisory posted Tuesday:

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some of these could be exploited to run arbitrary code.

One critical security bug fixed crashes caused by memory corruption, which the developers felt could have been used at some point to run arbitrary code.

Two other high-profile bugs involved a misinterpretation of a particular Adobe Flash code that could have been exploited, and a URI mismatch that also could have led to arbitrary JavaScript executions. However, there's no evidence in the bugs that these security holes had been exploited.

AOL.com and AIM.com Web mail users should once again be able to view attached images inline and without hiccups. A bug created in Firefox 3.0.7 caused images to break where they had loaded properly in Firefox 3.0.6. Also, users who noticed previously stored cookies mysteriously disappearing should find that bug repaired.

The release comes as Mozilla prepares to release the fourth beta test of Firefox 3.5--the next version of the open-source browser. Mozilla had originally planned to release its new "Shiretoko" version of Firefox in early 2009. But after releasing Firefox 3.1 beta 3 last month, the organization behind the browser said a fourth beta is planned--and with the new version number, 3.5.

Expected changes in Firefox 3.5 include faster execution of Web-based JavaScript programs, a private-browsing mode, native support for the JSON (JavaScript Object Notation) technology for exchanging data between servers and browsers, and built-in audio and video abilities for bypassing Flash or other multimedia technologies.

In March, security-testing company Secunia reported that Mozilla had more vulnerabilities in its Web browser last year than Internet Explorer, Safari, and Opera combined, but that Mozilla dealt with those flaws more quickly than Microsoft did.

Meanwhile, Firefox continues to chip away at Internet Explorer's market dominance. Mozilla now has 22.05 percent of the global browser market share, compared with IE's 66.82 percent, a drop of more than seven percentage points in a year, according to figures from Web metrics company Net Applications.

Updates for Windows, Mac OS X, and Linux are available at the Mozilla site. (Downloads in all languages are available here.) Firefox 3 users will receive an update notification within 48 hours, or they can download the update manually by selecting "Check for Updates" from the Help menu.

CNET's Seth Rosenblatt contributed to this report.