Firefox 1.0.4 candidates

These are release candidates for Firefox 1.0.4. If you've been following Asa's blog, these candidates are the ones he calls final (hopefully) 1.0.4 candidates. I hadn't posted earlier candidates because they didn't contain fixes for all of the blocking security holes.

There is a post about these builds on Asa's blog. If you think you've found a regression, please report it using IRC or post a comment on Asa's blog entry. If no problems come up, these builds will become Firefox 1.0.4 tonight (PDT).

Please help test these builds. Trunk doesn't have all the security fixes, and testing 1.0.4 candidates should be more fun than disabling JavaScript or only visiting sites you trust. If you've been using trunk, be sure to install this build into a different directory, because installing 1.0.x on top of trunk can cause problems. I don't know whether you'll need to create a new profile.

Security fixes in Firefox 1.0.4:

  • Fixed: 292691#c5 - XSS security hole involving frames and javascript: URLs. Regression in Firefox 1.0.3.
  • Fixed: 292691#c14 - Sites whitelisted for extension installation can execute arbitrary code by abusing a security hole in the extension-installation dialog. Regression in Firefox 1.0.3. Firefox only (not in Mozilla suite).
  • Fixed: 290949 - <link> tag still allows to execute arbitrary code without user interaction (variant of 290036, which was fixed in Firefox 1.0.3).
  • Fixed: 290908 - (Security hole involving new Script(). Regression in Firefox 1.0.3.)
  • Fixed: 290982 - (Security hole involving jar:, view-source: protocols)
  • Fixed: 293671 - (Security hole involving nested jar:, view-source: protocols)

All other fixes in Firefox 1.0.4:

  • Fixed: 290777 - Regression in defining getters on prototypes in content script. (aka The Firefox 1.0.3 DHTML regression.)
  • Fixed: 290476 - js_AllocStack doesn't clear space it returns.
  • Fixed: 280137 - [OS/2] Get rid of PMWINX dependency.
  • Fixed: 272369 - [S390] firefox -register results in SIGSEGV.
  • Fixed: 264324 - [S390] Incorrect defines in s390/s390x.

Windows builds: Official Windows, Official Windows installer

Linux builds: Official Linux, Official Linux installer

Mac builds: Official Mac

13 Responses to “Firefox 1.0.4 candidates”

  1. Charlie Fiend Says:

    Thanks! What should we be looking out for? Half the security fixes bugs say “access deneid”.

  2. Jesse Ruderman Says:

    Look for regressions, especially regressions involving the features that have changed.

  3. theefool Says:

    The official release has been released on the main firefox website.

  4. Kevin Hanson Says:

    something on the mac version… the apple key + forward does not go forward anymore, but the apple + back key goes back. Anyone else having this problem? Also, why are there no longer links to the G4 optimized builds of Firefox? Are they using different builds?


  5. The Burning Edge » Blog Archive » Firefox 1.0.4 released Says:

    […] urning Edge Developments in nightly builds of Mozilla Firefox « Firefox 1.0.4 candidates Firefox 1.0.4 released […]

  6. Jesse Ruderman Says:

    This changelog has been copied to

  7. » Firefox 1.0.4 Released Says:

    […] curity vulnerabilities that were recently reported on a security site. Complete changelog can be found here. “A proof of co […]

  8. Manoj Says:

    The recent spate of security vulnerabilities in Firefox’s Javascript engine and the media coverage of these vulnerabilities are making it hard to sell Firefox to my friends as a more secure alternative to IE. I haven’t read any thoughts from the Firefox Drivers on this issue but a cursorily glance at critical vulnerabilities in Firefox since its release and IE shows that Firefox has had many more *Critical* holes in the same period of time than IE. Does Firefox need to undergo a serious *Security* review?

  9. Alex Krupp Says:

    Manoj: We don’t even know how many critical vulnerabilities IE has so how could you possibly compare the two and decide that firefox has more?

  10. Westacular Says:

    I vaguely recall hearing about some studies that concluded the vulnerabilities in IE are *perhaps* less frequent, but when they do crop up they tend to be more severe and last longer before being patched. This slashdot article, and the ensuing discussion, is (I believe) where I heard this.

  11. Manoj Says:

    My data comes from bug traq queries and the slashdot article pointed to by Westacular.

  12. The Burning Edge » Blog Archive » 2005-05-14 Trunk builds Says:

    […] 05-14 Trunk builds

    Security fixes:

    Fixed: All security bugs that were fixed for Firefox 1.0.4.
    Fixed: 292589 – Security hole, might not affec […]

  13. Observations from a Tech Architect: Enterprise Implementation Issues & Solutions Says:

    Firefox Security – a marketing mistake…

    While the Firefox browser may have been designed with security in mind and was specifically targetted at blocking the common methods for web-based spyware and malware – the marketing tactic has backfired.