One of the biggest fixes that’s been implemented in the Firefox 4 beta (Windows | Mac | Linux) repairs a hole that affects all browsers, a decade-old vulnerability that was mentioned in the documentation for CSS2. The exploit is a CSS sniffing history attack, where malicious code can gain access to your browser history by manipulating link appearance and style. What made the bug so difficult to repair is that the simplest solution, to prevent all link style manipulation, would be like throwing the baby out with the bathwater, said Firefox’s director of development, Jonathan Nightingale. Changing an already-visited link’s colors is one the most-used features of the Web, and it would be catastrophic to prevent that.
Nightingale added that Wednesday’s release of Safari 5.0.1 has incorporated the fix.
Another type of bug addressed in the Firefox 4 beta is an XSS primary scripting exploit. […]
Other changes in Firefox 4 promise to be less technical. Firefox’s approach to browser updates is changing, and sounds like in some cases it will more closely resemble Google Chrome’s automatic updates. "There are updates that we want you to know about, and that you’ll have a choice to install or not, but there’s also updates that we just want to get our security patches out," said Nightingale. Those silent updates will be rolled out first to Windows users because Windows experience the most security risks, he said, but Mac and Linux users will eventually see them, too.
CNET Download Blog