Mozilla has released Firefox 3.6.2 about a week ahead of the original schedule. The update addresses some stability issues and a number of security vulnerabilities, most notably the critical security flaw described in Bug 552216, which could allow an attacker to execute malicious code on the target system.
Firefox is the number two Web browser behind Microsoft Internet Explorer, and is widely used as the de facto replacement for Internet Explorer in businesses around the world. Internet Explorer and Firefox combined have over 85 percent market share–leaving less than 15 percent to be divided among the remaining players.
Firefox experienced a dramatic spike in downloads–at least in Germany–following the discovery that a zero-day exploit in Internet Explorer was leveraged to launch attacks against Google and other companies in China. Germany, followed closely by France, recommended that businesses and users abandon Internet Explorer to ensure they could not be impacted by the zero-day attacks.
Now, Firefox finds itself on the other end of that same equation. Germany officially recommended that businesses and users drop Firefox in favor of another Web browser as a defense against the recently discovered security flaw.
The Firefox security issue does have a limited scope, though. Only Firefox 3.6 is affected, and the exploit will only work on Firefox running on Windows XP or Windows Vista. IT administrators need not worry about the millions of Linux, Mac OS X, and Windows 7 systems running Firefox.
Addressing the security issue as quickly as possible–and preventing any sort of German mass exodus off of the Firefox browser–is likely the main reason for the earlier-than-planned Firefox 3.6.2. It also seems likely that Mozilla wanted to ensure the most current, patched, and up to date version of its Web browser possible leading up to the CanSecWest security conference.
Apple also issued an update for its Safari Web browser–the target of an exploit that let one security researcher compromise and control a completely-patched Macbook in a matter of seconds to take home the $5,000 Pwn2Own contest prize. A second security researcher was also able to capture a $5000 prize by exploiting Safari.
Web browser vendors don’t want the notoriety that comes with being the browser platform hacked the fastest, or the Web browser that allowed an attacker to take control of the computer it’s running on, so it makes sense to try to address as many issues as possible. Unfortunately for Mozilla, Apple, and others, they can only patch flaws they’re aware of, and Pwn2Own contestants keep newly discovered vulnerabilities and exploits as closely-guarded secrets until the event so they can capitalize on them to capture the cash and the bragging rights that come with winning the contest.
A post on the Mozilla Developer News blog stresses “We strongly recommend that all Firefox users upgrade to this latest release. If you already have Firefox 3.6 you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu.”
Businesses have no reason to be concerned with which browser gets compromised the fastest at CanSecWest, but any business using Firefox 3.6 on Windows XP or Windows Vista has a very good reason to upgrade to Firefox 3.6.2 as soon as possible.