Mozilla Corp. has released the first official beta of Firefox 1.5, the next major update of the group's open source browser, with organization officials on Friday touting that the new application's faster and can more easily be updated. That may be tested sooner than Mozilla might have wanted, for also on Friday, a security researcher posted information and proof-of-concept code for a major vulnerability in most versions of Firefox, including the beta.
Beta 1 of Firefox 1.5 is the first major update since the launch of Firefox 1.0 in November 2004, said Mike Schroepfer, Mozilla's director of engineering. "This beta is designed primarily for Web and extension developers," said Schroepfer, "and as a way for us to get additional feedback on testing of compatible sites."
The beta, he added, will be followed by one more in about a month, then one or two release candidates before the final gets shoved out the door "sometime before the end of the year."
The delay in getting 1.5 ready for prime time, said Schroepfer and Chris Beard, products and marketing manager for Mozilla Corp., has been due to the unexpected number of new features added to the browser. "This ended up being a much bigger release than we originally planned," said Beard.
At one point, Firefox 1.5 -- then dubbed Firefox 1.1 -- was scheduled to release in March, but later -- when it was called Deer Park -- the browser was shoved back to mid-summer, then fall, and now winter.
Beard recognized that Mozilla sets itself up for criticism when it slips its schedules. But he wouldn't have it any other way. "We're very transparent in every thing we do" as an open-source developer, he said.
Firefox 1.5 Beta 1 boasts several new features and improvements of existing tools, said Schroepfer, but he considers automatic updating as the "premier addition to 1.5."
Firefox already had an update notifier, but 1.5 will now automatically fetch security and other updates in the background, then install them without user intervention, much like Microsoft's Automatic Update does for Windows (and Internet Explorer). The auto update feature can be disabled, or users can require Firefox to ask permission before installing patches.
"Automatic updating will reduce the size of patches by 10 to 20 times," said Schroepfer. Previously, users had to download the entire browser to obtain fixes -- typically a 4-5MB file -- but in testing, Schroepfer said, Mozilla's been producing patches as small as "several hundred k."
Schroepfer and the other developers at Mozilla may get a chance to put auto update into play sooner than they anticipated. Early Friday, just hours after Mozilla released Beta 1, security research Tim Ferris posted information about a vulnerability in most editions of Firefox, as well as proof-of-concept code.
"A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host," wrote Ferris both on a posting to his own Web site and one to the Full Disclosure security mailing list.
A malicious Web site could insert the HTML proof-of-concept code made public to crash Firefox; attackers could take advantage of the buffer overflow to insert code to, for instance, grab complete control of the machine.
"We’re looking into the problem," said Mozilla's Schroepfer, "and we'll respond with a patch as quickly as possible." Schroepfer also confirmed that the just-released Firefox 1.5 Beta 1 is vulnerable to the bug as well as the production 1.0.6 version.
Danish security vulnerability tracker Secunia tagged the Firefox bug as "Highly critical," its second-from-the-top ranking for flaws, and noted that the same problem affects the Mozilla 1.7x and Netscape 7.x and 8.x browsers.
Friday afternoon, Mozilla posted a small patch that disables support for international domain names, or IDNs (the buffer overflow at issue occurs in the code that normalizes IDNs). The Firefox and Mozilla patch, as well as details on how to manually disable IDN support as a workaround, are on the Mozilla site.
Schroepfer took exception with Ferris' quick disclosure of the vulnerability, while others on the Full Disclosure questioned why he posted proof-of-concept code when he had not done the same for recent vulnerabilities found within Microsoft's Internet Explorer.
"We had less than 72 hours from the time he notified us to when he posted information [about the vulnerability]," said Schroepfer.