Firefox 1.5 Beta 1 Released As First Bug Surfaces - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Firefox 1.5 Beta 1 Released As First Bug Surfaces

Mozilla Corp. has released the first official beta of Firefox 1.5, the next major update of the group's open source browser.

Mozilla Corp. has released the first official beta of Firefox 1.5, the next major update of the group's open source browser, with organization officials on Friday touting that the new application's faster and can more easily be updated. That may be tested sooner than Mozilla might have wanted, for also on Friday, a security researcher posted information and proof-of-concept code for a major vulnerability in most versions of Firefox, including the beta.

Beta 1 of Firefox 1.5 is the first major update since the launch of Firefox 1.0 in November 2004, said Mike Schroepfer, Mozilla's director of engineering. "This beta is designed primarily for Web and extension developers," said Schroepfer, "and as a way for us to get additional feedback on testing of compatible sites."

The beta, he added, will be followed by one more in about a month, then one or two release candidates before the final gets shoved out the door "sometime before the end of the year."

The delay in getting 1.5 ready for prime time, said Schroepfer and Chris Beard, products and marketing manager for Mozilla Corp., has been due to the unexpected number of new features added to the browser. "This ended up being a much bigger release than we originally planned," said Beard.

At one point, Firefox 1.5 -- then dubbed Firefox 1.1 -- was scheduled to release in March, but later -- when it was called Deer Park -- the browser was shoved back to mid-summer, then fall, and now winter.

Beard recognized that Mozilla sets itself up for criticism when it slips its schedules. But he wouldn't have it any other way. "We're very transparent in every thing we do" as an open-source developer, he said.

Firefox 1.5 Beta 1 boasts several new features and improvements of existing tools, said Schroepfer, but he considers automatic updating as the "premier addition to 1.5."

Firefox already had an update notifier, but 1.5 will now automatically fetch security and other updates in the background, then install them without user intervention, much like Microsoft's Automatic Update does for Windows (and Internet Explorer). The auto update feature can be disabled, or users can require Firefox to ask permission before installing patches.

"Automatic updating will reduce the size of patches by 10 to 20 times," said Schroepfer. Previously, users had to download the entire browser to obtain fixes -- typically a 4-5MB file -- but in testing, Schroepfer said, Mozilla's been producing patches as small as "several hundred k."

Schroepfer and the other developers at Mozilla may get a chance to put auto update into play sooner than they anticipated. Early Friday, just hours after Mozilla released Beta 1, security research Tim Ferris posted information about a vulnerability in most editions of Firefox, as well as proof-of-concept code.

"A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host," wrote Ferris both on a posting to his own Web site and one to the Full Disclosure security mailing list.

A malicious Web site could insert the HTML proof-of-concept code made public to crash Firefox; attackers could take advantage of the buffer overflow to insert code to, for instance, grab complete control of the machine.

"We’re looking into the problem," said Mozilla's Schroepfer, "and we'll respond with a patch as quickly as possible." Schroepfer also confirmed that the just-released Firefox 1.5 Beta 1 is vulnerable to the bug as well as the production 1.0.6 version.

Danish security vulnerability tracker Secunia tagged the Firefox bug as "Highly critical," its second-from-the-top ranking for flaws, and noted that the same problem affects the Mozilla 1.7x and Netscape 7.x and 8.x browsers.

Friday afternoon, Mozilla posted a small patch that disables support for international domain names, or IDNs (the buffer overflow at issue occurs in the code that normalizes IDNs). The Firefox and Mozilla patch, as well as details on how to manually disable IDN support as a workaround, are on the Mozilla site.

Schroepfer took exception with Ferris' quick disclosure of the vulnerability, while others on the Full Disclosure questioned why he posted proof-of-concept code when he had not done the same for recent vulnerabilities found within Microsoft's Internet Explorer.

"We had less than 72 hours from the time he notified us to when he posted information [about the vulnerability]," said Schroepfer.

The beta of Firefox 1.5 can be downloaded from the Mozilla Web site in versions for Windows, Mac OS X, and Linux.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
Register for InformationWeek Newsletters
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll