Firefox security update keeps people in the dark

The Mozilla Foundation has fixed several security flaws in its Firefox browser but has left people in the dark about what some of the issues entail.

Firefox 1.0.5, released on Tuesday, patches about 10 bugs in the open source web browser, some of them "high risk", according to Chris Hofmann, director of engineering at Mozilla. High-risk problems typically allow an intruder to commandeer a PC or expose the user's data.

"We have a collection of bug fixes that we have been working on for the last couple of weeks," Hofmann said.

Two of the flaws that have been patched were reported in June by security-monitoring company Secunia, a Mozilla representative said. The group has not released details on the other eight vulnerabilities, even though the software revamp was made available online on Tuesday. Mozilla said it is still working on providing a description of those outstanding security problems.

The update also includes improvements to make Firefox more stable, Mozilla said in its online posting.

Some of the security holes in Firefox were reported by Mozilla community members, helped by the group's bug bounty programme, which provides $500 and a Mozilla T-shirt for finders of critical flaws, Hofmann said.

Most of the flaws would require some user interaction for an attacker to be able to exploit them, Hofmann said. There are no known attacks that use any of the newly fixed problems, he said.

The vulnerabilities reported by Secunia are spoofing flaws, which could let an attacker place malicious content on trusted websites. One problem lies in the way the browser handles frames. The other exists because JavaScript dialogue boxes do not display or include their origin.

Firefox 1.0.5 is the first update to the popular alternative browser since 11 May, when Mozilla released version 1.0.4 to fix three bugs.

Later this week, Mozilla plans to release a new version of its Thunderbird email client. Thunderbird shares some code with Firefox and thus is vulnerable to the same security bugs, Hofmann said. An update to the Mozilla Suite is also scheduled to appear soon.

An alert mechanism in Firefox is designed to let people know that an update is available. They will have to download the full new browser, which is about 4.8MB in size. The next version of Firefox, release 1.1 due in August or September, will have a more streamlined patching mechanism that will let people download just the fixes, Hofmann said.

Since the debut of Firefox 1.0 in November, its usage has grown at a rapid pace. Security has been a main selling point for Firefox over rival Microsoft's Internet Explorer, which has begun to see its market share dip slightly - for the first time in a number of years. Firefox US usage share reached nearly seven per cent at the end of April, according to tracking company WebSideStory.

Joris Evers writes for CNET News.com