The security update, Firefox 1.0.1, can be downloaded immediately at www.mozilla.org, and it will be available within a few days via Firefox's automatic update feature. "I'd encourage users to get this release, especially if they've been prone to phishing attacks or spoofing," says Chris Hofmann, director of engineering with Mozilla, a nonprofit software-development organization. "A lot of work in this release focuses on those areas."
The update covers a handful of security vulnerabilities and approximately 40 other fixes related to browser performance based on user feedback to Mozilla. The security vulnerabilities range from "moderately critical" in nature to not critical. None of them are highly critical, and there are no known exploits for any of the vulnerabilities, Hofmann says.
One security patch addresses the problem of international domain name spoofing, in which a hacker could potentially spoof a Web site through the international characters in the browser. The fix involves putting "funny-looking characters" in the susceptible area of the browser, though Hofmann acknowledges it's only a temporary solution. Security firm Secunia described the IDN spoofing vulnerability in a bulletin earlier this month.
The update is also meant to prevent cross-site scripting, in which an attacker gains access to data entered on a Web site by manipulating the browser.
Firefox 1.0 has been downloaded 27 million times since it was released on Dec. 7. In the process, the no-cost browser has cut into Microsoft Internet Explorer's dominant share of the browser market. IE's market share on Windows PCs had slipped to 92.7% in mid-January, from 96.7% in June, while Firefox's share rose, according to WebSideStory Inc., a Web-analytics firm that tracks browser usage. WebSideStory is expected to release updated Web-browser statistics next week.