The Mozilla Foundation issued an update to the latest version of Firefox, bringing it to version 3.5.2, and issues two updates to the older version of the browser that is still being supported, updating it to version 3.0.13. As a Computerworld article points out, the bug in the newer version of the browser is a low-level threat, being “a bug in how the browser handles replies from a SOCKS5 proxy” with no evidence of memory corruption. This bug had been patched in the older version of the browser, and it may be that Mozilla simply forgot to apply the patch to version 3.5.
The bugs patched in version 3.0.13 were presented at last week’s Black Hat security conference by researcher Dan Kaminsky, and affect the way Firefox handless SSL (secure socket layer) sessions. This is what is used to ensure secure communication between a browser and server.
Both updates are available from the Mozilla download page, or via the browsers’ auto-update features.
