Security firm Secunia are warning of a zero-day securty exploit which has been discovered in Firefox 3.5 allowing a milicious site to execute arbituary code.

“The vulnerability is caused due to an error when processing JavaScript code handling e.g. ‘font’ HTML tags and can be exploited to cause a memory corruption” said a spokesperson from Secunia.

No word from Mozilla on a fix yet, but Firefox 3.5.1 will likely be released in the coming days to address the issue.

Nightly Mac builds of WebKit, the basis of which Safari and Google Chrome are built on, now include 3D CSS transforms.

3D CSS transforms allow web developers to manipulate objects in the third dimension with simple CSS rules. Current CSS3 standards do not include these 3D transforms, but Apple has submitted 3D CSS transforms to the W3C for consideration as an official CSS standard.

The 3D transforms are already available in iPhone OS 2.0 and up.

Users or developers wanting to check out this new feature can download the latest nightly build from WebKit. The following 3D transform demos are available:

• Charles Ying’s Snow Stack photo browser
• Peter Zich’s 3D Van “model” rotating in space
• Peter Zich’s 3D Image Fly, another image browser (hint: click and drag to rotate)

Microsoft has released Silverlight 3, after being in beta testing since March 2009.

Silverlight 3.0 includes over 50 new features, including graphic processing unit (GPU) acceleration, 3D support, H.264 video support and out-of-the-browser capabilities to Silverlight.

A full list of features can be read on the Silverlight website. Silverlight 3 is available for Windows and Mac OS X today.

Apple has released Safari 4.0.2 for both Mac and Windows, which is available through either software update or through the Safari website.

The update addresses two security vulnerabilities and improves the stability of the Nitro JavaScript engine used by Safari and are described below:

• An issue in WebKit’s handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
• A memory corruption issue exists in WebKit’s handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.

The update is recommended for all Safari users.

More news has surfaced about multi-process support for Firefox, with a prototype now completed.

Multi-process support gives each tabs, window, and plugins its own process. Browsers such as Google Chrome and Internet Explorer 8 already support this feature.

Benjamin Smedberg has blogged about the benefits of multi-processes:

• Increased stability: if a plugin or webpage tries to use all the processor, memory, or even crashes, a process can isolate that bad behavior from the rest of the browser.
• Performance: By splitting work up among multiple processes, the browser can make use of multiple processor cores available on modern desktop computers and the next generation of mobile processors. The user interface can also be more responsive because it doesn’t need to block on long-running web page activities.
• Security: If the operating system can run a process with lower privileges, the browser can isolate web pages from the rest of the computer, making it harder for attackers to infect a computer.

Firefox developer Chris Jones has posted a screencast demoing the new technology.

No word on a final release date yet, but we may see this technology in production version some time in late 2010. Currently the team are focusing on Windows and Linux versions.

Microsoft has announced that a serious exploit in Microsoft’s Video ActiveX Control can allow hijackers complete access to a remote system.

The zero day exploit affects Internet Explorer 6 and 7 users when they visit an infected web site if they are using either Windows XP or Windows 2003.

Windows Vista, Windows 7 and Internet Explorer 8 users are safe for now. No patch is currently available but Microsoft has posted a workaround for the exploit.

A patch is in the works, but no details on when it will be released have been announced.

Links:

• Enable workaround
• Disable workaround

Microsoft has pulled a web only Internet Explorer 8 ad which depicts a woman projectile-vomiting.

The ad was aimed at promoting Microsoft’s InPrivate browsing feature, but now has users wondering if it is even an Microsoft creation.

Featuring actor Dean Cain, the ad shows a woman vomiting after seeing her husband’s Web browsing history and is still available on YouTube.

You can watch the ad below (if you dare).

Read more

Firefox 3.5 was downloaded more than 5 million times in 24 hours, but this is still 3 million less than the 8 million downloads when Firefox 3 was released.

With the release of Firefox 3.5, Mozilla have provided real time Firefox download information. Current downloads totals for 3.5 are nearing 9 million in just 2 days.

Overall Firefox downloads are estimated to be over 900 million.

Mozilla has finally released Firefox 3.5 final, the next installment in the Firefox series.

Firefox 3.5 is more than twice as fast as Firefox 3, and 12 times faster than Firefox 2.

New features includes support for HTML5 audio and video tags, private browsing, faster JavaScript engine and of course better stability and security.

A full list of changes can be found in the release notes, while the new browser can be downloaded from Firefox.