Mozilla hopes to classify the upcoming Firefox 3.6 as a minor update, a move that may sound inconsequential but that in fact might have significant repercussions with Firefox users and the speed the open-source browser is developed.

Mike Beltzner, Mozilla's director of Firefox, in a mailing list discussion that he'd like to call the new version a minor release "to quickly migrate our user base to Firefox 3.6." Minor releases in the past typically have been steps from, for example, 3.5.3 to 3.5.4, but Mozilla is trying to speed up more significant changes and not just fixes for bugs and security holes.

"Firefox 3.6 will be primarily a release with security, stability, speed and capability enhancements, with no visible user interface changes over Firefox 3.5. As such, I think we should consider it as a candidate for a minor update, stretching our definition of what types of updates we can provide using that mechanism," Beltzner said.

Be default, Mozilla automatically distributes minor Firefox updates to be installed after a user prompt. Major updates initially require the user to actively retrieve the new version, though Mozilla gets more active as time passes and older versions reach the end of their support lifespans--January 2010 in the case of Firefox 3.0.

Why change the process? To keep up with changes in the browser world, Beltzner said.

"The pace of technology development in web browsers is speeding up rapidly, and we now face a challenge of ensuring that we can continue to deliver modern web browsing experiences to our users," he said.

And in a position that mirrors the rationale that Google offers for its automatically updating Chrome browser, he added, "Users' expectations of software have changed since the update mechanism was introduced in Firefox 1.5. Many applications that browser users interact with exist in the cloud, with updates pushed frequently and transparently, without consultation. That wasn't the case only a few years ago."

That sounds reasonable, right? Well, it turns out nothing is simple.

One problem is that add-ons won't work with the new version unless they're updated, too, and there are a lot of add-ons in the world. "Add-on compatibility is one of the large reasons why users do not move from one version to another," Beltzner said.

Sure enough, John Barton, an IBM employee who's a member of the group overseeing development of the Firebug add-on widely used in Web site development, raised concerns about moving quickly to 3.6 and the current version 1.4 of the add-on.

"We're a little confused by a Firefox 3.6 that can't decide if it is 3.6 or 3.5.5. If 3.6 is really minor, release it as 3.5.5. Else, well then it's not minor after all," Barton said, though adding, "I support shorter release cycles in Firefox."

Add-on compatibility problems is one reason Mozilla is moving to the new Jetpack extensions system in Firefox 4.0 next year.

One of the big new features in Firefox 3.6, code-named Namoroka, is the arrival of Personas, which lets people customize the browser appearance.

Mozilla said the first beta of Firefox 3.6 is due this weekend or early next week, and Beltzner said there currently are no plans for second beta. The final version is due by the end of the year.

A new zero-day exploit targeting Adobe Reader, as well as 9.1.3 and earlier versions of Adobe Systems' Acrobat, drops a backdoor onto computers using JavaScript, Trend Micro researchers warned on Friday.

Trend Micro identified the exploit as a Trojan horse dubbed "Troj_Pidief.Uo" in a blog post. It arrives as a PDF file containing JavaScript-based malware, "Js_Agent.Dt," and then drops a backdoor called "Bkdr_Protux.Bd."

The exploit affects Microsoft Windows 98, ME, NT, 2000, XP, and Server 2003, according to Trend Micro.

The blog post provides technical details on how the malware works, specifically the activity of its shell code, the piece of code that delivers the payload. The JavaScript is used to execute arbitrary codes in a technique known as "heap spraying."

"Based on our findings, the shell code (that was heap-sprayed) jumps to another shell code inside the PDF file" before extracting and executing the backdoor, Trend Micro said. The backdoor "is also embedded in the PDF file and not the usual file downloaded from the Web."

Variants of the Protux backdoor typically provide an attacker unrestricted user-level access to a compromised machine and previously exploited vulnerabilities in Microsoft Office files, according to Trend Micro.

Adobe announced on Thursday that it would release an update to fix the hole on Tuesday, the same day as Microsoft's Patch Tuesday.

This screenshot shows the embedded executable file in the PDF file, after it has been decrypted.

Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections, if the computers are behaving as if they have been compromised by malware.

For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus taking control of the system and using it to send spam as part of a botnet.

Comcast is launching a trial of a service that will warn customers via a browser pop-up that their computers may have been compromised by malware.

The alerts are triggered "when we see computers on our network that are doing things that are known bot activities--say, a computer is spewing out thousands of spam e-mails," said Jay Opperman, senior director of security and privacy at Comcast.

The Philadelphia-based cable giant, which is the largest residential Internet service provider in the United States, with 15.3 million consumer customers, also is alerted to compromised customer computers when an IP address of one of its customers is identified as the source of spam on an industry spam list, Opperman said.

Customers in Denver are set to begin receiving notifications that their system may be infected with a virus or other malware via a pop-up message in the browser, as part of the new free service, called Comcast Constant Guard. The "Service Notice" will include a link to a Comcast security Web site where customers can follow a set of instructions to remove the malware from their computer.

If customers don't have antivirus software, they can download McAfee Internet Security Suite for free. Comcast also offers a Comcast Toolbar that includes spyware detection and removal, a pop-up ad blocker, antiphishing software, and antispam protection for e-mail.

The company first started notifying customers about the security issues about a year ago, with support representatives calling customers on the phone, Opperman said.

"We learned that customers love it," he said. "We wanted to reach more people and to automate the process."

This appears to be the first service through which a major ISP proactively notifies customers about security issues on their computers. For years, security experts have complained that ISPs are uniquely positioned, and should do more, to help customers combat security problems. But ISPs have been reluctant to assume additional responsibilities that are not central to their core service offering and for which they would then have to maintain a standard, going forward.

"I would hope that the government would do things to encourage this, if you alleviate some of the potential concerns that others may have about giving that kind of notification," said Jerry Upton, executive director of the Messaging Anti-Abuse Working Group. "I think it's the beginning of many ISPs and network providers realizing that customers need a little better knowledge of what the problems are out there."

Alissa Cooper, chief computer scientist for the Center for Democracy and Technology, said the organization welcomes Comcast's initiative.

"ISPs have a helpful role to play in helping subscribers mitigate these kinds of security threats," she said. "The challenge is...when users get these notices, do they understand them? Do they trust that they are real? Do they follow through to the point where they clean up their computers?"

The new service will eventually be rolled out in the rest of the country, replacing the phone calls Comcast has been using to notify customers to security problems, Opperman said.

Asked how many alerts have been sent to customers with Macintosh computers, Opperman said he could not provide a specific number but that there had been some.