Skip to main content
Add as a preferred source on Google


Firefox 3.0.8 Released, Critical Security Bugs Fixed

  • By Jabulani Leffall
  • 03/30/09

Mozilla rolled out security updates for Firefox after the Web browser was hacked during a contest two weeks ago at a software security convention in Vancouver.

The updates address two separate vulnerabilities in Mozilla Firefox browser versions 3.0.x. Users can get them through "Check For Updates" in the Help menu of the browser, according to the Mozilla Links blog. However, users can also download the latest version of the browser, Firefox 3.0.8, which addresses those vulnerabilities and arrives one week early.

One of the vulnerabilities patched was a proof-of-concept memory corruption bug associated with XSL parsing. This so-called crashing bug was discovered last week by an Italian hacker.

The second vulnerability that Mozilla patched was found by a hacker calling himself Nils. He won $15,000 at the CanSecWest Pwn2Own competition by hacking into three fully patched browsers. Nils first hacked into Internet Explorer 8, finding DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) bugs that Microsoft since has said are fixed. He also took down Apple's Safari browser, according to this account.

Nils is a 25-year-old computer science student from Germany who would only give his first name during the event. He explained why he was able to hack the Firefox browser, indicating that the "XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use."

This bug caused Firefox to crash. It can allow an attacker the ability to run code on a victim's computer if the user is lured to a Web site laden with ready-to-deploy exploits.

In issuing the updates, Mozilla rated both vulnerabilities as "critical," Mozilla's highest severity rating. Mozilla also indicated that both bugs can also be addressed by disabling JavaScript in the Firefox browser.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • Hand holding a glowing AI sphere

    Beyond the Hype: 5 Actionable Steps for Higher Ed to Master AI in 2026

    AI has arrived as a powerful, pervasive reality, bringing with it a whirlwind of innovation, new tools, and pressing questions. Here are five practical steps to help your institution navigate this rapidly evolving landscape and accelerate its path to real transformation.

  • glowing brain above stacked coins

    The Higher Ed Playbook for AI Affordability

    Fulfilling the promise of AI in higher education does not require massive budgets or radical reinvention. By leveraging existing infrastructure, embracing edge and localized AI, collaborating across institutions, and embedding AI thoughtfully across the enterprise, universities can move from experimentation to impact.

  • abstract networking lines with AI text on top

    WWT, NVIDIA Introduce Framework for Secure, Scalable, Responsible AI Adoption

    Technology services provider World Wide Technology and NVIDIA have jointly developed an AI security framework dubbed AI Readiness Model for Operational Resilience (ARMOR), designed to help organizations accelerate AI adoption while maintaining security, compliance, and operational resilience.

  • Businessman holding Chatbot with binary code, message and data 3d rendering

    Anthropic Criticizes OpenAI Ad Strategy

    Anthropic recently launched a multi-million dollar Super Bowl advertising campaign criticizing OpenAI's decision to start showing ads within ChatGPT.