Mozilla Fixes Security Flaws in Firefox 25 as Interface Updates Debut

In a rare occurrence, Mozilla developers release an out-of-band update that patches five security flaws in Firefox 25.0.1.


Open-source Web development organization Mozilla is patching its Firefox Web browser with a rare out-of-band update that addresses five security flaws. The new Firefox 25.0.1 update comes as Mozilla is gearing up its much-anticipated Australis user interface update that will overhaul the way the open-source browser looks.

Mozilla moved to a rapid release cycle in 2011 with the debut of Firefox 5; ever since then, new Firefox releases have come out every six to eight weeks in rapid succession, typically without the need for any incremental point update in between. Firefox 25 debuted at the end of October, providing 10 security updates, and is now being updated by Mozilla with a Firefox 25.0.1 point release, fixing five more issues.

As to why Mozilla is issuing the security update now and not waiting another two or three weeks until Firefox 26 is released, the company is acting with an abundance of caution to protect its users.

"Mozilla is not aware of any active exploits for these issues," Johnathan Nightingale, vice president of Firefox Engineering at Mozilla, told eWEEK. "Nevertheless, once the issue was public, a determined attacker could exploit it. The safest choice was to update our users swiftly."

All five security issues in the Firefox 25.0.1 update involve the Network Security Services (NSS) library, which is the common library that provides a security component to Mozilla applications.

Among the NSS flaws that have been corrected in the Firefox 25.0.1 update is one identified as CVE-2013-5695, which is a potential buffer overflow issue. With a buffer overflow, memory is corrupted, potentially enabling attackers to execute arbitrary code. A pair of security certificate issues are also fixed as part of the NSS update, including CVE-2031-5606 and CVE-2013-1741.

As part of the update, NSS is also lowering the priority of the RC4 cipher suite, which is commonly used for Secure Sockets Layer (SSL) encryption. CVE-2013-2566 notes that, "the RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plain-text-recovery attacks via statistical analysis of cipher text in a large number of sessions that use the same plain text. "


As Mozilla secures its users with the Firefox 25.0.1 update, developers are also working on the browser's next-generation interface known as Australis.

Australis introduces a more streamlined interface and provides new interface customizations. The Australis update was previously being worked on in the Firefox UX branch of development and has now come to the Firefox Nightly development branch. The Firefox Nightly branch is the leading edge of Mozilla's development efforts for Firefox, and is followed by the Aurora release branch that serves as an alpha. After code has matured in Aurora, it heads to beta and then, when ready, on to a generally available Firefox release.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.