SillyDog701

[profman]

The Firefox 3.6.10 is announced a few posts down.

Firefox 3.6.9 has been released!

Firefox 3.6.9 Release Notes

Under What's New they state:

Firefox 3.6.9 fixes the following issues found in previous versions of Firefox 3.6:

* Introduced support for the X-FRAME-OPTIONS HTTP response header. Site owners can use this to mitigate clickjacking attacks by ensuring that their content is not embedded into other sites.
* Fixed several security issues.
* Fixed several stability issues.

Under Security Issues they state that the below have been fixed in Firefox 3.6.9

Fixed in Firefox 3.6.9
MFSA 2010-63 Information leak via XMLHttpRequest statusText
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
MFSA 2010-61 UTF-7 XSS by overriding document charset using <object> type attribute
MFSA 2010-59 SJOW creates scope chains ending in outer object
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-55 XUL tree removal crash and remote code execution
MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
MFSA 2010-52 Windows XP DLL loading vulnerability
MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
MFSA 2010-50 Frameset integer overflow vulnerability
MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)

I was offered the update through the Firefox Software Update feature.

[Thread and post edited to reflect release of 3.6.10 right after 3.6.9.]

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 GTB7.1 ( .NET CLR 3.5.30729)

[Antony]

Thanks Profman,

According to Mozilla Developer Center, the x-frame-options HTTP header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Web sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

This feature has been available in Safari 4.0, Chrome 4.1.249.1042, Internet Explorer 8.0, Opera 10.5. Firefox 3.5 with NoScript AddOn also had this feature.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

[J-M]

Mozilla is one of the major browsers where the recent DLL hijacking vulnerability is fixed now.

See
http://www.computerworld.com/s/article/ ... acking_bug

UserAgent: Mozilla/5.0 (000000000; 0; 000 000 00 0 0000; 00000; 0000000000) DDDDDDDDDDDDDD DDDDDDDDDDDDD

[profman]

Firefox 3.6.10 has been released!

Firefox 3.6.10 Release Notes

Under What's New they state:

Firefox 3.6.10 fixes the following issues found in previous versions of Firefox 3.6:

* Fixed a single stability issue affecting a limited number of users

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 GTB7.1 ( .NET CLR 3.5.30729)

[Anonymosity]

Firefox 3.6.9 has been very stable for me. It has not crashed once.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; rv:1.9.2.9) Gecko Firefox/3.6.9