Firefox 10.0.1 Update Fixes Critical Bug

If you set Firefox for automatic updates, one way you can tell if Firefox has been updated is, it always require that you restart your browser. Firefox 10 was updated over the weekend to version 10.0.1 to fix a critical bug that can potentially be exploited by attackers. The bug also affects Firefox ESR (Extended Support Release), Thunderbird and SeaMonkey.

The security hole is within nsXBLDocumentInfo::ReadPrototypeBindings.

Mozilla developers Andrew McCreight and Olli Pettay found that ReadPrototypeBindings will leave a XBL binding in a hash table even when the function fails. If this occurs, when the cycle collector reads this hash table and attempts to do a virtual method on this binding a crash will occur. This crash may be potentially exploitable.

You can force Firefox to update or just wait until you’re prompted. Since it’s critical, it’s probably a good idea to force an update. You can usually find it on About > Apply Upgrade.

In addition, there’s an interesting article speaking of Firefox’s impending demise. Personally, I wouldn’t call Firefox dead. It’s just that Chrome and others are making it the browser war very competitive. It’s a good thing. A little competition between browsers is good for everyone.