Firefox 2.0.0.14 update plugs memory hole

Posted by Christian Zibreg

Chicago (IL) - Late Wednesday, Mozilla issued an update for its Firefox browser that finally patches the garbage collection bug in the JavaScript engine. The bug can result in unexpected crashes, memory leaks and represents a “critical” security risk for users.

The security problem surfaced in Firefox 2.0.0.13 and quickly made its way through developer forums. According to Mozilla, the bug caused the JavaScript engine to crash during the so-called garbage collection process, a technique of the program to reclaim memory reserved by objects that are not expected to be accessed again.

If the JavaScript engine collapses during the “garbage collection”, large memory leaks can occur and such memory leaks cannot be reclaimed by the operating system until a system is rebooted. Some crashes of this type have proved to be exploitable in the past, clearing the way for hackers to run potentially malicious software. Mozilla recommends all Firefox 2.0 users to upgrade to Firefox 2.0.0.14 to fix the problem.

Thunderbird is also affected by the problem, as the email client shares the browser engine with Firefox. According to Mozilla, Thunderbird users who enabled JavaScript for email messages in versions prior to 2.0.0.14 and SeaMonkey 1.1.10 (both versions have been released as security updates) were exposed to risks. Mozilla is therefore discouraging users from enabling JavaScript in Thunderbird, noting that this is not the default setting, anyway.

Late Wednesday, Apple also issued a Safari update that elevated the web browser to version 3.1.1. The Safari update patches at least four separate flaws as well as the infamous bug that enabled Charlie Miller to break into the Macbook Air within minutes. As part of the contest terms, Miller had to disclose the bug to Apple, which made it possible for the company to release the Safari patch.