Firefox 3.6 Released

The Mozilla organization has released version 3.6 of the Firefox Web browser.  The new version adds several feature improvements, including:

• Better support for HTML 5 native video, including full-screen video
• Improved JavaScript performance, and the capability for asynchronous script execution
• Improved support for DOM, HTML5, and CSS specifications
• Detection of out-of-date browser plugins

Complete information on the changes is available in the Release Notes.  Installation binaries for all platforms (Mac OS X, Linux, and Windows), in more than 70 languages, are available from the download page.

Update Thursday, 21 January, 16:45

There are initial reviews of the new 3.6 release available at Ars Technica and Webmonkey.

Microsoft Releases IE Patch

As expected, Microsoft today released an out-of-schedule security fix for the Internet Explorer vulnerability that I’ve discussed before. (This is the vulnerability used in the Chinese attack on Google, Adobe, and others.)  The patch applies to all versions of Internet Explorer ( 6,7, and 8 ) on all supported versions of Windows, and is rated as Critical in almost all cases.  Details and download links for the patch are available in the Security Bulletin Summary. (Note that this page is an updated version of the regular “Patch Tuesday” page for January.  The new vulnerability is MS10-002.)

I recommend installing this patch as soon as possible.  One of the flaws it fixes is being actively exploited now.

Windows Kernel Vulnerability

Microsoft has published a Security Advisory (979682) regarding a newly-discovered security vulnerability in the Windows kernel.   The vulnerability itself is anything but new, and appears to be present in every 32-bit “NT” version of Windows from Windows NT 3.51 through Windows 7.  In order to support BIOS function calls in legacy 16-bit (!) applications, Windows includes a facility called the Virtual DOS Machine.  This is a protected-mode subsystem that is used to run applications originally intended for MS-DOS under Windows.  Inadequate handling of exception conditions would allow a malicious program to execute with system-level privileges.  This vulnerability does not affect 64-bit versions of Windows, since they do not include the Virtual DOS Machine component.

Microsoft suggests a work around for the problem, which is to disable access to 16-bit applications using the Group Policy Editor.  Instructions for doing this are in the Advisory.   Most current configurations should have no need for 16-bit compatibility, but it is of course advisable to test any important systems.  (Conceivably, for example, a legacy device or application might silently make use of this capability.)

The SANS Internet Storm Center has a diary entry on this issue.  The security firm Neohapsis has a detailed technical discussion of the vulnerability.