Mozilla released today Firefox 12, patching 14 security bugs in the browser and moving it one step closer to matching rival Chrome in silent updating.
The latest in the line of updates that have rolled off the Mozilla development line every six weeks since mid-2011, Firefox 12 fixed seven vulnerabilities labeled "critical," the highest threat ranking in Mozilla's four-step scoring, four bugs tagged "high" and three pegged "moderate."
[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]
Mozilla also patched 19 other bugs, all critical, in the mobile edition of Firefox, which runs on the Android platform.
Among the 14 desktop vulnerabilities, Mozilla patched three that could be used by hackers in cross-site scripting attacks, one that applied only to Windows Vista and Windows 7 PCs with hardware acceleration disabled, and another in image rendering done by the WebGL 3D standard.
Two of the bugs were reported by security researchers at rivals Google and Opera Software. The Google engineer also notified Mozilla of all 19 vulnerabilities in the FreeType library that affected the mobile version of the browser. Unlike Google, Mozilla does not call out bounties it's paid to outside researchers for reporting vulnerabilities, even though Mozilla does have a reward program.
As usual, Mozilla did not explicitly say that all the flaws could be exploited, but instead hedged with its traditional phrasing of, "We presume that with enough effort at least some of these could be exploited to run arbitrary code."
Eleven of the 14 bugs were also patched in Firefox ESR, or Extended Support Release, the longer-lived edition designed for enterprises that don't want to update workers' machines every few weeks. The current version of Firefox ESR is based on Firefox 10, which shipped in December 2011. ESR receives only security updates during its 54-week lifespan. The first iteration of ESR won't appreciably change until November 2012, and will be supported with security patches until early February 2013.
As expected, Mozilla did not release fixes for Firefox 3.6, the 2010 browser it officially retired today. Mozilla has been nagging Firefox 3.6 users with pleas to upgrade for weeks, and will take the unusual step of automatically upgrading them to Firefox 12 early next month.
Although Mozilla touted a total of 85 improvements for Web developers, it focused on the feature that brought the browser, at least on Windows, one step closer to true "silent" updating.
Firefox 12 skirts Windows' UAC prompt, but by clearing the highlighted box, users can restore the warning.
"Firefox simplifies the update process for Windows users by removing the UAC (user account control) dialog pop-up while maintaining the security of your system," the company said in a Tuesday blog post announcing the release of Firefox 12. "Once a user gives explicit permission to Firefox on their first installation, they will not be prompted again for subsequent releases."
