The majority of Firefox users is subscribed to the stable channel. The latest official version of that channel is Firefox 5.0.1 which will be updated to Firefox 6 on Tuesday.

But Firefox Stable is not the only channel that has received an update that is already available on the Mozilla ftp server. The Firefox 3.6.x branch is still actively maintained, and users of that branch will be quite happy that their version of the Internet browser receives an update as well. Firefox 3.6.20 is also available on the ftp server.

Firefox users who do not want to wait that long can download the new version of Firefox can download the new versions from one of the official mirror servers like this one.

Cautious users should wait until the release is officially announced on the Mozilla site and via the automatic update option of the web browser itself. It is unlikely that we will see last minute changes but it has happened in the past.

So what is new in Firefox 6? The official release log has not been updated yet. The beta changelog lists the following changes:

The address bar now highlights the domain of the website you’re visiting
Streamlined the look of the site identity block
Added support for the latest draft version of WebSockets with a prefixed API
Added support for EventSource / server-sent events
Added support for window.matchMedia
Added Scratchpad, an interactive JavaScript prototyping environment
Added a new Web Developer menu item and moved development-related items into it
Improved usability of the Web Console
Improved the discoverability of Firefox Sync
Reduced browser startup time when using Panorama

The full list of changes of Firefox 6 is available here.

Only the beta release notes are available for Firefox 3.6.20 as well. The list is considerably shorter: The developers have fixed security and stability issues, and enabled downloadable font support for users running Mac OS X 10.7.

Big changes and features that will make an impact are already implemented and tested in Firefox 7. This is the version of the browser that will reduce memory usage significantly on many systems. (see Firefox 7 Aurora Shows Significant Memory Usage Improvements). (via)

The current version of Firefox does not offer protection against these kinds of installations. Mozilla has acknowledge the issue and is currently working on a solution. The development team plans to include protection against unwanted add-on installations from Firefox 8 on.

A wiki page over at Mozilla offers details about the motivation and current stage of development.

Mozilla notes that they “currently do not provide adequate warning to users that new third-party provided add-ons have been installed” and that the “project will ensure that users opt-in to all add-ons that aren’t installed through the Firefox UI”.

With the protection in place, Firefox would inform its user of new add-ons that have been installed from third party software and not from within the browser UI. It is Mozilla’s plan to display an opt-out page to the user so that it is possible to block the installation and execution of the add-on in the browser.

A mockup has been created that shows how the user prompt could look like during start of the browser. In this mockup, each third party add-on installation would span in its own tab in the browser. (via)

We do not know at this point if add-ons refer only to browser extensions, or if browser plugins are also included in the checks. It would make sense if Mozilla would block all automatic third party installations, and not only those that are extension related.

Conceivable Tech notes that Mozilla also wants to make sure that add-ons are always removable in the browser, another long standing issue that is about to get resolved.

The projected release target should give Mozilla ample time to test the new security measure before it reaches the majority of users in the Firefox Beta and Stable channels.

The best Firefox security add-ons is a guide for Firefox users who want to improve their web browser’s security and protection from attacks on today’s Internet. That does not necessarily mean that you need to install all of the add-ons to protect your browser from malicious attacks, as some may only be useful if you visit specific websites or types of sites regularly.

The list concentrates on security related add-ons, not privacy related. Only extensions that are compatible with at least Firefox 4 have been included in the list.

My Extensions

Those are extensions that I use on my private PC. I thought it would be a great way to start with a selection of add-ons that I personally use all the time, and list the remaining extensions in the second part of the article.

NoScript – Most malware and attacks are script based on the Internet. If a script cannot run, it cannot attack your computer. NoScript does exactly that. It blocks all scripts from running on all pages and websites on the Internet. You can whitelist scripts for a session or permanently if you trust a website.

A must-have extension and one of the main reasons that I’m still using the Firefox web browser and not another browser.

Alternative: YesScript, which allows all scripts and gives you the option to disable select ones.

LastPass Password Manager – LastPass is a password manager which makes the add-on security related. It stores the passwords online which means that you can access them from any PC that LastPass is installed on provided that you have an Internet connection on that PC. It features a secure password generator, form filler and note taking along with the usual options like automatically logging you in on websites or an on screen keyboard.

The company recently created a tool called LastPass Security Challenge which goes through your stored passwords to rate them individually and overall.

Firefox Security Add-Ons

BrowserProtect – Protects your web browser’s settings and preferences from being tampered with. Some programs that you install on your computer change Firefox settings either automatically or if you do not pay attention to the installation dialog. Browser Protect for Firefox shields the browser by monitoring the browser configuration. It is for instance effective against homepage hijacking or search engine provider changes.

HTTPS Finder – It is always safer to use https when available, as it protects the information from network snooping and other possible attack forms. HTTPS Finder informs you if a website supports HTTPS, with an option to automatically switch to the HTTPS protocol. A similar feature is provided by NoScript.

Master Password+ – Passwords stored in Firefox’s default password manager are not secured at all by default. Anyone with access to the computer can access both usernames and passwords for all sites. The Master Password is a way to protect the password list in Firefox. Master Password+ improves that feature, for instance by prompting for the master password on browser startup or locking up the browser window if the master password is not supplied.

Whois Lookup – It sometimes pays to know who owns and administrates a website. This is done with a Whois Lookup, which you can do manually on many whois related sites on the Internet, or semi-automatically with the Firefox extension Whois Lookup.

Host Permissions – Allows you to disable permissions for individual hosts. Permissions include images, redirects, plug-ins, JavaScript and frames).

Alternative: Bookmark Permissions, does the same, only for bookmarks.

FEBE – Firefox Environment Backup Extension allows you to backup Firefox data, including extensions, themes, preferences, passwords and cookies regularly. I personally prefer MozBackup for this, but this extension is a solid alternative.

Perspectives – Aids Firefox users securely identify Internet servers by verifying certificates using a collection of Network Notaries.

NoRedirect – Gives you back the control over HTTP redirects. Many ISPs these days redirect you to their own search page if you mistype a web address in a browser. NoRedirect in addition offers previews for shortened urls and stops the redirection of smart error pages and more.

Dr. Web Anti-Virus Link Checker – Send files that you want to download with an online virus scanner before you do so. This can be done without downloading the file first to your computer.

Alternative: VTZilla (Caution: Not hosted on Mozilla.org) that sends files to Virus Total where they are checked against 40 different antivirus engines.

Web of Trust – Displays rating symbols for websites that you visit. Ratings include trustworthiness, vendor reliability, privacy and child safety.

Alternative: LinkExtend – Uses eight safety services instead of just one to rate links before you visit the web sites.

Search Engine Security – Changes the referrer when visiting web pages from search engines to protect against some forms of malicious redirects.

Closing Words

Firefox users can improve the security of the web browser significantly with add-ons. Many add additional layers of protection to the browser, which can keep you safe, or at least safer, on the Internet.

Did I miss a security add-on that you use all the time? Let me know about it in the comments.

The beta release notes classify Firefox 4.0.1 as a security and stability release. Bugzilla lists a total of 53 bugs that have been fixed in the latest Firefox release. Of those, 12 have received a severity rating of critical, another 9 one of major.

The majority of critical issues have been crash and freeze related, only two address other issues. Other notable fixes include a issue where Adobe pdf documents with a size larger than 5 Megabytes could not be loaded in the browser, problems with the address bar and other text edits after loading pdf documents using Adobe Reader X and the inability to refine searches on Yahoo answers.

It can take up to 24 hours before the release is officially announced on the homepage and via the browser’s built-in updating functionality. It is likely that download portals such as Softpedia or Major Geeks will be faster and offer the download on their sites before the official announcement.

Since it is a security release it is important to update the web browser as soon as possible. A good starting point is the official Mozilla Release Mirrors listing which often provide access to downloads for all languages and operating systems before the final release announcement on the Mozilla Firefox website.

The release notes are accessible here.

While it may be tempting to upgrade to Firefox 4 right away, it is often better to test a new browser version before turning the temptation into action. The main reason for waiting is that some extension developers waited for the final Firefox release before starting work on making their extensions compatible with Firefox 4.

Firefox 3.6.16 and 3.5.18 are now available for all supported operating systems and languages. Existing users should receive update notifications during startup. The update check is also available manually from the Help > Check for Updates menu. It is alternatively possible to download the latest version from the Mozilla website directly. The download options are however deeply nested on the site, not as easy to find since Mozilla starting pushing the release of Firefox 4.

Both updates blacklist “a few invalid HTTPS certificates”. A post detailing the issue on the Mozilla Security blog points out that “users on a compromised network could be directed to sites using the fraudulent certificates [to] mistake them for [..] legitimate sites”. It would then be possible to deceive “them into revealing personal information such as usernames and passwords” or “into downloading malware”.

The issue is not Firefox specific, but Mozilla made the decision to protect Firefox users from possible exploits by blacklisting the revoked certificates.

Firefox 3 users should update their web browser as soon as possible, either to the latest Firefox 3 branch releases or the newly released Firefox 4, to protect the browser from possible exploits of the issue.

Recently I have discovered an add-on called Dubser which is listed at the Mozilla website.

Dubser sounds like an interesting add-on:

Dubser makes your daily browsing easier. With our unified interface, you have instant access to popular web services like dictionaries, search engines, social network services and more. It offers you a completely new way of accessing these web services in your browser without disturbing pop-up windows and unwanted browser tabs, just as if you had a browser in browser. It helps you to

improve your browsing efficiency
speed up your searching process
perform many tasks more easily in your browser
collect your frequently used web-based services in one place

The download of the add-on however links to the developer site that hosts the add-on exclusively.

What does it mean? Mozilla explains it on their website when the user clicks on the button leading to the external website: “This add-on is hosted on the developer’s own website and has not been reviewed by Mozilla. Be careful when installing third-party software that might harm your computer”.

Add-ons that are not hosted on Mozilla.com are not reviewed by Mozilla. Heck, not even all add-ons that are hosted on the Mozilla site are reviewed, but that is only temporary for new add-ons. Hosting it on the Mozilla website means that developers are willingly submitting their add-ons for review.

With externally hosted add-ons it is different and I shy away from downloading and installing those add-ons because of the risks involved. While it is not likely that Dubser or any other externally hosted add-on is indeed malicious, it is not an easy thing to check, at least not for me and other users who are not Firefox developers or experts.

So, instead of installing Dubser I have made the decision to ignore it for now. I will revisit the page at Mozilla from time to time to see if the add-on is hosted and reviewed on the official website. If it is I will install it and write a review about my experience with it.

Hosting add-ons on the official website adds a seal of security and trust to those add-ons and developers should consider to at least co-host their add-ons on the official Mozilla website.

Update: The Add-on has been removed from Mozilla.

The beta release notes list the major issues that have been fixed:

Firefox 3.6.13 fixes the following issues found in previous versions of Firefox 3.6:

Fixed several security issues.
Fixed several stability issues.

Bugzilla goes into more detail by listing all bugs that have been fixed in Firefox 3.6.13. A total of 67 bugs have been fixed in the update including 21 critical and one blocker bug. Interested users can visit Bugzilla to access the list. Firefox users who do not want to wait can try some of the official community mirror servers to download the release immediately.

The new versions of the browser are currently distributed to the release servers. It usually takes a couple of hours before the releases are pushed to the users who will receive an update notification once the new version becomes officially available.

The new version numbers are Firefox 3.6.12 and Firefox 3.5.15. We have uploaded the English versions to a file hoster, in case you want to download it right away to protect your computer system. You also find the new versions for all supported operating systems and languages on the release servers.

Users who want to wait for the official release should disable JavaScript in the meantime, as the exploit requires JavaScript enabled.

The release notes are up already, they simply confirm that the critical security vulnerability was fixed in this Firefox update:

Firefox 3.6.12 fixes a critical security issue that could potentially allow remote code execution.

Downloads:

http://www.mediafire.com/file/i5wdlb4ek2mi6i8/Firefox%20Setup%203.5.15.exe

http://www.mediafire.com/file/t4clgc7vkxwdxj2/Firefox%20Setup%203.6.12.exe

We expect an official release announcement in the next hours. The reaction time to resolve the vulnerability was excellent to say the least.

The backdoor tries to retrieve the path of the Windows directory to copy the file symantec.exe to %WINDIR%\temp\symantec.exe. Once the file is created there, autostart keys are added to the Windows Registry to load the file on system startup. The keys are added both to the user and local machine parts of the Registry, and the reg command is used to add them.

The program then tries to create two connections to Internet servers, namely to nobel..mooo.com and update.microsoft.com. After these initial connections it tries to connect to two additional servers, both of which appear to be offline currently. If they are offline, the malware stops executing and exits.

On a successful connection, the malware opens a shell and the attacker can access the local computer with the same rights the malware was executed with.

Mozilla appears to be aware of the vulnerability and is developing a patch to protect the browser from the vulnerability. (via)

Update: Office Mozilla Response Up, suggest to disable JavaScript to protect the browser from the vulnerability.

Firefox users who can wait a bit longer can check for updates manually in the web browser by clicking on The Help menu link.

The release notes have not been updated, but the beta release notes mention several security and stability issues that have been fixed

Bugzilla lists 40 bugs that have been fixed in the release, of which seven have received a critical rating.

Expect a final release later today. The Firefox client will pick up on new releases automatically once they are released officially.

The new version of the web browser is currently distributed to worldwide mirror servers, and will be announced officially once the distribution completes.

As of now, it is only available directly on the Mozilla ftp site. The release notes are still mentioning Firefox 3.6.7 Beta and not the final release, it is expected that they are updated to reflect the final release.

Bugzilla lists a total of 76 bugs that have been fixed in the new version of the web browser, among them ten critical issues, and seven major issues.

firefox 367

Specifically Windows 7 users will see several improvements, a memory leak issue has been fixed as well as two Windows 7 taskbar related issues.

Official downloads will be made available on the release notes page later on. Users who do not want to wait this long can check the ftp server to find the release for their operating system and language.

A recent blog post on the Mozilla Add-ons blog revealed that the developers had to deal with two add-ons falling in those two categories recently.

The first add-on, Mozilla Sniffer, contained code that intercepted and send login information to a remote server on the Internet.

The issue was discovered on July 12, six days after the addition as an experimental add-on on the Mozilla website. The add-on was disabled immediately after a manual code review and added to the global blocklist.

A total of 1800 installations have been recorded prior to the detection, all users who have installed the add-on receive an automatic uninstallation request, triggered by the addition to the blocklist.

Firefox users who have or had the Mozilla Sniffer add-on installed need to change all their login information on all sites they have visited since installing the add-on to prevent possible account access of third parties.

All add-ons that are uploaded by developers to the Firefox add-on repository are scanned for malicious code. A manual review of the add-on follows at a later time. The virus scan did not detect the “phone home” function, so that the add-on was listed as an experimental add-on on the public website.

It is obvious that this verification process is flawed. It might not happen often that malicious add-ons pass the initial scan but it has happened in the past.

Back in February two add-ons were discovered in the add-on repository that contained malicious code. Mozilla back then increased the number of malware scanners and the frequency of the scans.

A new security model has been proposed which changes the review process so that only code-reviewed add-ons are visible to Firefox users on the add-on’s website.

Cool Previews was the second add-on the Mozilla developers had to deal with. A critical security vulnerability was discovered in version 3.0.1 of the add-on, installed by more than 170k users.

The vulnerability can be triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the preview function executes remote JavaScript code with local chrome privileges, giving the attacking script control over the host computer.

Version 3.0.1 and earlier of Cool Previews have been disabled after the discovery. The developer of Cool Previews managed to update the add-on within a day of notification, the new version is already available on the Mozilla website and as an update.

Add-on updates are displayed automatically to Firefox users. Additional information are provided at the Mozilla blog post.

I have been a beta user ever since the first version of Firefox 3.6.4 came out. The latest build is a security and stability update which makes it a recommended update for everyone who is already working with Firefox 3.6.4.

The only viable source of information at this point is the Bugzilla bug listing as the release notes do not list changes in beta and alpha builds separately.

Bugzilla lists many critical crash bugs mostly related to plugins. Seems that the developers are still working on the out of process plugin capability which is likely to be responsible for the crashes.

Firefox 3.6.4 users should receive an update notification directly in their web browser. The new build of Firefox is also available on the developer’s site for all operating systems and languages.

Users who are running a beta or developer version of Firefox 3.6.4 can go to Help > Check for Updates to display the information about the update with options to download and install it right away.

Firefox 3.6.x users who want to update to Firefox 3.6.4 right away because of the security and stability improvements need to install the beta version first and then perform the update check.

The beta version is available on the Firefox beta page.

The full list of bugs that are fixed can be viewed at Bugzilla. The bugs included two rated as blocker, 19 as critical and eight major ones. The total amount of bugs fixed in Firefox 3.6.4 is 189 across all supported operating systems.

A memory corruption flaw leading to code execution was reported by security researcher Nils [..] Nils found a case where the moved node incorrectly retained its old scope. If garbage collection could be triggered at the right time then Firefox would later use this freed object.

The exploit is only affecting Firefox 3.6 versions which means that users who are still running Firefox 3.6 or Firefox 3.6.1 should also update their version to the latest immediately.

Firefox 3.6.3 is already available via the browser’s automatic update check which is the most comfortable option to update the web browser. The download is also provided on the Mozilla website for users who want to download the setup files to their computer system first.

Firefox 3.0.19 is the final update for the 3.0.x branch of Firefox, there will be no more updates after this one. The final update is a security and stability upgrade for the web browser which makes it an recommended update for all users who are still using the browser.

The complete list of changes over at Bugzilla lists 55 bugs in total that have been fixed in Firefox 3.0.19. Of those 55 bugs 14 have been rated critical and 6 as major. The update is available from the official Mozilla Firefox website or by using the automatic update check in the web browser.

Firefox 3.5.x was also updated to Firefox 3.5.9 which has also been a security and stability update, likely with many updates that have also been made to Firefox 3.0.19. Bugzilla lists the same amount of bugs that have been fixed. It is here again recommended to update the Firefox browser as soon as possible to improve the browser’s stability and security.

Users who are still using the Firefox 3.5.x branch can download the latest version from the Mozilla website as well or use the automatic update option in the browser. Firefox 3.5.x will continue to be supported.

Firefox 3.6.2 has been released and is already available through the web browser’s automatic update check and as a download at the Mozilla Firefox homepage.

Bugzilla lists 111 bugs that have been fixed in Firefox 3.6.2 of which 21 have been classified as critical by the Mozilla developers. The recently reported security vulnerability is not the only security vulnerability fixed in the latest Firefox release.

Mozilla developers ask Firefox users to upgrade to Firefox 3.6.2 as soon as possible to protect their computer system from possible attacks that exploit the vulnerabilities.

Several stability issues have been fixed in the new version of Firefox as well. The Firefox 3.6.2 download is provided at the official Mozilla website or through the web browsers automatic update check.

Firefox 3.6.2 is available for all supported operating systems and languages. Firefox users should look at the known issues section in the release notes to make sure that they do not run into problems after updating their web browser.

The security vulnerability was discovered in February by Russian security researchers who did not communicate directly with the Mozilla development team. This was the main reason for the long patch development.

The patch has already been included in beta versions of Firefox 3.6.2 which currently undergo quality assurance tests before the final release.

Firefox 3.6 users who are concerned about the security vulnerability are asked to install the latest released beta version of Firefox 3.6.2 to protect their computer system from the remote exploit.

Another option is to use a different web browser for the time being until the official version of Firefox 3.6.2 has been released. We will inform you as usual as soon as we got our hands on the final release of Firefox 3.6.2 which sometimes is 24-48 hours before the official release announcement and the automatic update check notices the new release.

The latest beta of Firefox 3.6.2 which contains the security patch can be downloaded from the Mozilla ftp server.

The few facts that are know are the following: The vulnerability is a remote code exection vulnerability that can be used by malicious users to comprise the operating system.

It is however not clear how the exploit works and if it is already in the wilds. Secunia rates the exploit as highly critical without going into further detail as well.

An official statement has not been published yet by the Mozilla developers. It is likely that the increase in reports about the vulnerability will trigger an official response soon. The Mozilla team seems to be aware of the vulnerability according to information posted on The H. (via Download Squad)

Only the beta changelogs of both new web browser versions are available at the Mozilla website which usually only list some of the updates of the new releases.

Interested users can access the Firefox 3.5.8 and 3.0.18 beta changelogs which do link to the Bugzilla page that lists all the updates in both releases.

Bugzilla lists three critical, three major and 13 normal bug fixes in Firefox 3.0.18 and nine critical, six major and 48 normal or minor bug fixes in Firefox 3.5.8. Both Firefox 3.5.8. and Firefox 3.0.18 will be offered for download at the Mozilla website and from within the web browser after performing a check for browser updates.

Users who do not want to wait that long can take a look at download portals like Betanews or Major Geeks who usually offer downloads for Firefox updates earlier than they are announced at Mozilla. It might also be a good idea to switch to the recently released Firefox 3.6 instead which is currently the newest official Firefox release.