Mozilla released Firefox 12, which patches 14 security bugs in the browser and moves it one step closer to matching Chrome in silent updating.
The latest in the line of updates rolling off the Mozilla development line every six weeks since mid-2011, Firefox 12 fixed seven vulnerabilities labeled “critical,” the highest threat ranking in Mozilla’s four-step scoring, four bugs tagged “high” and three pegged “moderate.”
Mozilla also patched 19 other bugs, all critical, in the mobile edition of Firefox, which runs on the Android platform.
Among the 14 desktop vulnerabilities, Mozilla patched three that hackers could use in cross-site scripting (XSS) attacks, one that applied only to Windows Vista and Windows 7 PCs with hardware acceleration disabled and another in image rendering done by the WebGL 3D standard.
Two of the bugs ended up reported by security researchers at rivals Google and Opera Software. The Google engineer also notified Mozilla of all 19 vulnerabilities in the FreeType library that affected the mobile version of the browser.
Unlike Google, Mozilla does not call out bounties it paid to outside researchers for reporting vulnerabilities, even though Mozilla does have a reward program.
Mozilla did not explicitly say all the flaws were exploitable, but instead hedged with its traditional phrasing of, “We presume that with enough effort at least some of these could be exploited to run arbitrary code.”
Eleven of the 14 bugs also ended up patched in Firefox ESR, or Extended Support Release, the longer-lived edition designed for enterprises that don’t want to update workers’ machines every few weeks.
The current version of Firefox ESR is based on Firefox 10, which shipped in December 2011. ESR receives only security updates during its 54-week lifespan. The first iteration of ESR won’t change until November 2012, and will get support with security patches until early February 2013.
Meanwhile, Mozilla updated Thunderbird and SeaMonkey, but they introduced relatively few new features or changes.
In version 12 of the Thunderbird news and email client, the Global Search function now includes extracts of messages in its results, and RSS feed subscription and general feed handling have been improved. Changes in the 2.9 update to the SeaMonkey “all-in-one internet application suite” include adding the ability to resize the File and Move Bookmarks dialogs, fixes for HTML5 videos, and Download Manager improvements that allow users to download URLs pasted from the clipboard.
The updates to Thunderbird and SeaMonkey also remedy 13 vulnerabilities in each of the applications. Six of these are critical and originate in problems related to WebGL, OpenType Sanitizer, font-rendering with Cairo, gfxImageSurface, IBMKeyRange and miscellaneous memory safety hazards. Four of the remaining issues rate as “High” risk, while the three remaining bugs are “Moderate”. Further details of these fixes are in the project’s security advisories.
In the release announcement for Thunderbird, developers also remind users, like Firefox 3.6.x, the legacy 3.1.x branch of the application reached its end of life and that no further updates, including security updates and critical fixes, will be available for the series. All users should upgrade. Those who don’t want to upgrade to Thunderbird 12 can switch to Mozilla’s Extended Support Release (ESR), Thunderbird ESR, which just updated to version 10.0.4.